CVE-2020-26167 - OpenCVE

In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Thedaylightstudio	Fuel Cms

Configuration 1 [-]

cpe:2.3:a:thedaylightstudio:fuel_cms:*:*:*:*:*:*:*:*

References

Link	Resource
https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/	Third Party Advisory
https://github.com/daylightstudio/FUEL-CMS/	Third Party Advisory
https://thedaylightstudio.com/	Vendor Advisory
https://www.getfuelcms.com/	Product Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-11-04T16:39:21

Updated: 2020-11-04T16:39:21

Reserved: 2020-09-30T00:00:00

Link: CVE-2020-26167

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-04T17:15:13.207

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-26167

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-04T16:39:21", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.getfuelcms.com/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/daylightstudio/FUEL-CMS/"}, {"tags": ["x_refsource_MISC"], "url": "https://thedaylightstudio.com/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-26167", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/", "refsource": "MISC", "url": "https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/"}, {"name": "https://www.getfuelcms.com/", "refsource": "MISC", "url": "https://www.getfuelcms.com/"}, {"name": "https://github.com/daylightstudio/FUEL-CMS/", "refsource": "MISC", "url": "https://github.com/daylightstudio/FUEL-CMS/"}, {"name": "https://thedaylightstudio.com/", "refsource": "MISC", "url": "https://thedaylightstudio.com/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-26167", "datePublished": "2020-11-04T16:39:21", "dateReserved": "2020-09-30T00:00:00", "dateUpdated": "2020-11-04T16:39:21", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thedaylightstudio:fuel_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A8D9736-AB00-456A-803F-86D12973227B", "versionEndIncluding": "1.4.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one."}, {"lang": "es", "value": "En FUEL CMS versiones 11.4.12 y anteriores, la funcionalidad page preview de una p\u00e1gina permite a un usuario an\u00f3nimo tomar la propiedad completa de cualquier cuenta, incluyendo la de un administrador"}], "id": "CVE-2020-26167", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-04T17:15:13.207", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/daylightstudio/FUEL-CMS/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://thedaylightstudio.com/"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://www.getfuelcms.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}