SilverStripe up to 2.4.1 access control

Summaryinfo

A vulnerability categorized as critical has been discovered in SilverStripe. The impacted element is an unknown function. The manipulation results in access control. This vulnerability is known as CVE-2010-5090. No exploit is available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, was found in SilverStripe (Content Management System). Affected is an unknown functionality. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-264. This is going to have an impact on integrity. CVE summarizes:

SilverStripe before 2.4.2 allows remote authenticated users to change administrator passwords via vectors related to admin/security.

The weakness was published 08/26/2012 (oss-sec). The advisory is shared for download at openwall.com. This vulnerability is traded as CVE-2010-5090 since 04/30/2012. The exploitability is told to be easy. It is possible to launch the attack remotely. The successful exploitation needs a authentication. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1068.

Upgrading to version 2.3.1 eliminates this vulnerability.

Similar entries are available at VDB-61867, VDB-61866 and VDB-61859. Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Content Management System

Name

• SilverStripe

Version

• 2.0.0
• 2.0.1
• 2.0.2
• 2.1.0
• 2.1.1
• 2.2.0
• 2.2.1
• 2.2.2
• 2.2.4
• 2.3.0
• 2.3.1
• 2.3.2
• 2.3.3
• 2.3.4
• 2.3.5
• 2.3.6
• 2.3.7
• 2.3.8
• 2.3.9
• 2.3.10
• 2.4.0
• 2.4.1

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion