返回 CVE 浏览器

CVE-2020-26167

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.0720%

EPSS Percentile2.86th

Published2020年11月4日

Last Modified2025年5月30日

Vulnerability Description

In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one.

Affected Platforms (CPE)

📦

Thedaylightstudio

Fuel Cms

<= 1.4.12

References & Advisories

🔗 https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-26167

🔗 https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/

🔗 https://github.com/daylightstudio/FUEL-CMS/

🔗 https://thedaylightstudio.com/

🔗 https://www.getfuelcms.com/

🔗 https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/

🔗 https://github.com/daylightstudio/FUEL-CMS/

🔗 https://thedaylightstudio.com/

相关漏洞威胁

CVE-2020-247919.8

FUEL CMS 1.4.8 allows SQL injection via the 'fuel_replace_id' parameter in pages/replace/1. Exploiting this issue could allow an a...

CVE-2020-174639.8

FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.

CVE-2020-260459.8

FUEL CMS 1.4.11 allows SQL Injection via parameter 'name' in /fuel/permissions/create/. Exploiting this issue could allow an attac...

CVE-2020-221519.8

Permissions vulnerability in Fuel-CMS v.1.4.6 allows a remote attacker to execute arbitrary code via a crafted zip file to the ass...