Episerver Ektron CMS before 9.0 SP3 Site CU 31, 9.1 before SP3 Site CU 45, or 9.2 before SP2 Site CU 22 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-10-10T21:00:00

Updated: 2024-08-05T08:38:06.360Z

Reserved: 2018-06-20T00:00:00

Link: CVE-2018-12596

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-10-10T21:29:01.430

Modified: 2024-11-21T03:45:30.473

Link: CVE-2018-12596

cve-icon Redhat

No data.