Improper access control

2008-09-0418:41:00

PRIOn knowledge base

www.prio-n.com

7 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

71.7%

JSON

The “Make a backup” functionality in Content Management Made Easy (CMME) 1.12 stores sensitive information under the web root with insufficient access control, which allows remote attackers to discover (1) account names and (2) password hashes via a direct request for (a) backup/cmme_data.zip or (b) backup/cmme_cmme.zip. NOTE: it was later reported that vector a also affects CMME 1.19.

CPENameOperatorVersion
cmmeeq1.12

CPE	Name	Operator	Version
	cmme	eq	1.12

References

secunia.com/advisories/31599

securityreason.com/securityalert/4220

www.securityfocus.com/bid/30854

exchange.xforce.ibmcloud.com/vulnerabilities/44684

www.exploit-db.com/exploits/6313