Skip to content

Instantly share code, notes, and snippets.

@Barriuso

Barriuso/CVE-2017-11422.txt

Last active May 27, 2020 12:30
Show Gist options
  • Save Barriuso/3714c8c09cf894d574d37c294711c49e to your computer and use it in GitHub Desktop.
Save Barriuso/3714c8c09cf894d574d37c294711c49e to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2017-11422
Raw
CVE-2017-11422.txt
CVE-2017-11422
> [Description]
> Statamic framework version 2.5.11 and previous versions does not
> correctly check a session's permissions when the methods from a user's
> class are called. Problematic methods include reset password, create
> new account, create new role, etc.
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Statamic Framework CMS - 2.5.11 and previous versions.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Reset any password account.
>
> ------------------------------------------
>
> [Attack Vectors]
> Need an account of the framework with the permission to see the dashboard. This could be accomplished by an editor who has previous access to the
> application or if the web application has set by default some roles when the user is created.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true and fixed on version 2.6.0
>
> ------------------------------------------
>
> [Discoverer]
> @_Barriuso
> DEMO VIDEO
> https://youtu.be/xEOSuS2q_Zc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment