Vulnerability Description
In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one.
CVSS Score
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Thedaylightstudio | Fuel Cms | <= 1.4.12 |
References
- https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-26167
- https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/Third Party Advisory
- https://github.com/daylightstudio/FUEL-CMS/Third Party Advisory
- https://thedaylightstudio.com/Vendor Advisory
- https://www.getfuelcms.com/ProductVendor Advisory
- https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/Third Party Advisory
- https://github.com/daylightstudio/FUEL-CMS/Third Party Advisory
- https://thedaylightstudio.com/Vendor Advisory
- https://www.getfuelcms.com/ProductVendor Advisory
FAQ
What is CVE-2020-26167?
CVE-2020-26167 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one.
How severe is CVE-2020-26167?
CVE-2020-26167 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-26167?
Check the references section above for vendor advisories and patch information. Affected products include: Thedaylightstudio Fuel Cms.