Exponent CMS → 2.3.5: Administrators may be able to edit super-administrator profiles
Reported by Sachin Wagh | December 25th, 2015 @ 08:14 PM | in 2.3.7 (closed)
Information
Vulnerability Type : Exponent CMS → 2.3.5: Parameter
Tampering Information Disclosure
Vulnerable Version : 2.3.5
CVE-ID :
Severity: Medium
Author – Sachin Wagh (@tiger_tigerboy)
Description
Exponent CMS is prone to a Parameter Tampering Information Disclosure because it fails to sanitize user-supplied input.By changing the value it is possible to see any user information such as superadmin and it is also possible to guess how many user are exist.
Credits & Authors
Sachin Wagh (@tiger_tigerboy)
Comments and changes to this ticket
-
Sachin Wagh December 26th, 2015 @ 05:06 PM
Hi dleffer,
Even if the user admin or superadmin can see the information vice versa by tampering parameter.
Thanks.
-
expNinja December 26th, 2015 @ 05:56 PM
- State changed from “new” to “resolved”
(from [1d8f6e4eec369da5d2d05928cfa75ac8dbedc3c8]) Fixes security issue where an admin user could possibly edit a super-admin user [#1322 state:resolved] https://github.com/exponentcms/exponent-cms/commit/1d8f6e4eec369da5...
-
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Bug Tracker for Exponent CMS
expNinja