Administrative password reset in Pagekit CMS
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-5594 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
Pagekit CMS Web applications / CMS |
| Vendor | YOOtheme |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Administrative password reset
EUVDB-ID: #VU5378
Risk: High
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2017-5594
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain administrative access to vulnerable website.
The vulnerability exists due to incorrect validation of user-supplied data during password reset process, when the debug toolbar is enabled. A remote attacker can send a specially crafted HTTP request and reset administrator’s password.
Successful exploitation of the vulnerability may allow an attacker to gain full access to vulnerable website.
MitigationUpdate to version 1.0.11.
Vulnerable software versionsPagekit CMS: 1.0.10
External linkshttp://github.com/pagekit/pagekit/commit/e0454f9c037c427a5ff76a57e78dbf8cc00c268b
http://securelayer7.net/download/pdf/SecureLayer7-Pentest-report-Pagekit-CMS.pdf
http://securelayer7.net/download/poc/password-reset-vulnerability-exploit-ruby-pagekit-cms.rb.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
