CVE-2009-1462

The Security Manager in razorCMS before 0.4 does not verify the permissions of every file owned by the apache user account, which is inconsistent with the documentation and allows local users to have an unspecified impact.

CVSS v2.0 7.2 HIGH

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://marc.info/?l=full-disclosure&m=123990481506680&w=2	Exploit
http://marc.info/?l=full-disclosure&m=123998062108561&w=2	Exploit
http://razorcms.co.uk/support/viewtopic.php?f=13&t=325	Exploit Vendor Advisory
http://www.securityfocus.com/bid/34566	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/50358

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:razorcms:razorcms::::::::
	cpe:2.3:a:razorcms:razorcms:0.2:::::::*
	cpe:2.3:a:razorcms:razorcms:0.3:rc2::::::

History

No history.

Information

Published : 2009-04-28 16:30

Updated : 2024-02-04 17:33

NVD link : CVE-2009-1462

Mitre link : CVE-2009-1462

CVE.ORG link : CVE-2009-1462

JSON object : View

Products Affected

razorcms

razorcms

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2009-1462", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": true, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-04-28T16:30:03.717", "references": [{"url": "http://marc.info/?l=full-disclosure&m=123990481506680&w=2", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://marc.info/?l=full-disclosure&m=123998062108561&w=2", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://razorcms.co.uk/support/viewtopic.php?f=13&t=325", "tags": ["Exploit", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/34566", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50358", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The Security Manager in razorCMS before 0.4 does not verify the permissions of every file owned by the apache user account, which is inconsistent with the documentation and allows local users to have an unspecified impact."}, {"lang": "es", "value": "El Security Manager en razorCMS anterior a v0.4 no comprueba los permisos de todos los archivos propiedad de la cuenta de usuario de apache, lo cual es inconsistente con la documentaci\u00f3n y permite a los usuarios locales tener un impacto no especificado."}], "lastModified": "2017-08-17T01:30:21.833", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:razorcms:razorcms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52856284-CC33-4779-8A9D-A9A02FEA6654", "versionEndIncluding": "0.3"}, {"criteria": "cpe:2.3:a:razorcms:razorcms:0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D9EDF45-CA3B-44B8-A87E-99083223007C"}, {"criteria": "cpe:2.3:a:razorcms:razorcms:0.3:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5B19BB3-8D38-4D4A-928E-75A45A63D6E6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}