OpenCVE

LokiCMS 0.3.4 and possibly earlier versions does not properly restrict access to administrative functions, which allows remote attackers to bypass intended restrictions and modify configuration settings via the LokiACTION parameter in a direct request to admin.php.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lokicms	Lokicms

Configuration 1 [-]

cpe:2.3:a:lokicms:lokicms:0.3.4:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://osvdb.org/45866
http://www.securityfocus.com/archive/1/492877/100/0/threaded
http://www.securityfocus.com/bid/29448
https://exchange.xforce.ibmcloud.com/vulnerabilities/42766

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-04-07T10:00:00

Updated: 2024-08-07T11:34:47.362Z

Reserved: 2009-04-06T00:00:00

Link: CVE-2008-6643

Vulnrichment

No data.

NVD

Status : Modified

Published: 2009-04-07T14:17:17.813

Modified: 2024-11-21T00:57:04.670

Link: CVE-2008-6643

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-05-31T00:00:00", "descriptions": [{"lang": "en", "value": "LokiCMS 0.3.4 and possibly earlier versions does not properly restrict access to administrative functions, which allows remote attackers to bypass intended restrictions and modify configuration settings via the LokiACTION parameter in a direct request to admin.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "45866", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/45866"}, {"name": "29448", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/29448"}, {"name": "lokicms-admin-security-bypass(42766)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42766"}, {"name": "20080531 LokiCMS Multiple Vulnerabilities through Authorization weakness", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/492877/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-6643", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "LokiCMS 0.3.4 and possibly earlier versions does not properly restrict access to administrative functions, which allows remote attackers to bypass intended restrictions and modify configuration settings via the LokiACTION parameter in a direct request to admin.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "45866", "refsource": "OSVDB", "url": "http://osvdb.org/45866"}, {"name": "29448", "refsource": "BID", "url": "http://www.securityfocus.com/bid/29448"}, {"name": "lokicms-admin-security-bypass(42766)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42766"}, {"name": "20080531 LokiCMS Multiple Vulnerabilities through Authorization weakness", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/492877/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T11:34:47.362Z"}, "title": "CVE Program Container", "references": [{"name": "45866", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/45866"}, {"name": "29448", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/29448"}, {"name": "lokicms-admin-security-bypass(42766)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42766"}, {"name": "20080531 LokiCMS Multiple Vulnerabilities through Authorization weakness", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/492877/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-6643", "datePublished": "2009-04-07T10:00:00", "dateReserved": "2009-04-06T00:00:00", "dateUpdated": "2024-08-07T11:34:47.362Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lokicms:lokicms:0.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "64C57EEB-4C90-494C-AD38-46CF0353DD98", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "LokiCMS 0.3.4 and possibly earlier versions does not properly restrict access to administrative functions, which allows remote attackers to bypass intended restrictions and modify configuration settings via the LokiACTION parameter in a direct request to admin.php."}, {"lang": "es", "value": "LokiCMS v0.3.4 y posiblemente versiones anteriores no restringe propiamente acceso a funciones administrativas, lo que permite a los atacantes remotos evitar restricciones establecidas y modificar los par\u00e1metros de configuraci\u00f3n a trav\u00e9s del par\u00e1metro LokiACTION en una petici\u00f3n directa a admin.php."}], "id": "CVE-2008-6643", "lastModified": "2024-11-21T00:57:04.670", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-04-07T14:17:17.813", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/45866"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/492877/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/29448"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42766"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/45866"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/492877/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/29448"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42766"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}