Cuteflow 2.10.3 - 'edituser.php' Security Bypass
| EKU-ID: 17253 | CVE: CVE-2009-2960;OSVDB-57391 | OSVDB-ID: |
| Author: Hever Costa Rocha | Published: 2009-08-24 | Verified:
 |
| Download: | ||
Rating☆☆☆☆☆ |
| EKU-ID: 17253 | CVE: CVE-2009-2960;OSVDB-57391 | OSVDB-ID: |
| Author: Hever Costa Rocha | Published: 2009-08-24 | Verified:
|
| Download: | ||
Rating☆☆☆☆☆ |
It's possible edit the users (including the admin account), bypassing the authentication through the address: http://localhost/cuteflow/pages/edituser.php?userid=1&language=pt&sortby=st rLastName&sortdir=ASC&start=1 The vulnerability is caused due to the application not properly restricting access to the pages/edituser.php script. This can be exploited to modify a user's username and password without having proper credentials. Hever Costa Rocha # milw0rm.com [2009-08-24]