Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2017-11422
CVE-2017-11422
> [Description]
> Statamic framework version 2.5.11 and previous versions does not
> correctly check a session's permissions when the methods from a user's
> class are called. Problematic methods include reset password, create
> new account, create new role, etc.
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Statamic Framework CMS - 2.5.11 and previous versions.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Reset any password account.
>
> ------------------------------------------
>
> [Attack Vectors]
> Need an account of the framework with the permission to see the dashboard. This could be accomplished by an editor who has previous access to the
> application or if the web application has set by default some roles when the user is created.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true and fixed on version 2.6.0
>
> ------------------------------------------
>
> [Discoverer]
> rambo69
> DEMO VIDEO
> https://youtu.be/xEOSuS2q_Zc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.