The "Make a backup" functionality in Content Management Made Easy (CMME) 1.12 stores sensitive information under the web root with insufficient access control, which allows remote attackers to discover (1) account names and (2) password hashes via a direct request for (a) backup/cmme_data.zip or (b) backup/cmme_cmme.zip. NOTE: it was later reported that vector a also affects CMME 1.19.
References
Configurations
History
21 Nov 2024, 00:50
Type | Values Removed | Values Added |
---|---|---|
References | () http://secunia.com/advisories/31599 - Vendor Advisory | |
References | () http://securityreason.com/securityalert/4220 - | |
References | () http://www.securityfocus.com/bid/30854 - | |
References | () https://exchange.xforce.ibmcloud.com/vulnerabilities/44684 - | |
References | () https://www.exploit-db.com/exploits/6313 - |
Information
Published : 2008-09-04 18:41
Updated : 2024-11-21 00:50
NVD link : CVE-2008-3924
Mitre link : CVE-2008-3924
CVE.ORG link : CVE-2008-3924
JSON object : View
Products Affected
hans_oesterholt
- cmme
CWE
CWE-264
Permissions, Privileges, and Access Controls