Authentication Bypass in ImpressCMS by ImpressCMS Development Team
CVE-2021-26600

9.8CRITICAL

Key Information:

Vendor

Impresscms

Status
Impresscms
Vendor
CVE Published:
28 March 2022

What is CVE-2021-26600?

ImpressCMS versions before 1.4.3 are vulnerable to a type confusion issue in the autologin.php script, which leads to an authentication bypass. This occurs due to improper use of comparison operators, allowing unauthorized users to authenticate incorrectly. Attackers exploiting this vulnerability can gain access to user accounts and sensitive information without proper authentication checks, posing a serious risk to website security.

References

https://hackerone.com/reports/1081986
x_refsource_MISC
http://packetstormsecurity.com/files/166393/ImpressCMS-1....
x_refsource_MISC
http://seclists.org/fulldisclosure/2022/Mar/43
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.