CVE-2009-1462

The Security Manager in razorCMS before 0.4 does not verify the permissions of every file owned by the apache user account, which is inconsistent with the documentation and allows local users to have an unspecified impact.

CVSS v2.0 7.2 HIGH

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://razorcms.co.uk/support/viewtopic.php?f=13&t=325	Exploit Vendor Advisory
http://www.securityfocus.com/bid/34566	Exploit
http://marc.info/?l=full-disclosure&m=123998062108561&w=2	Exploit
http://marc.info/?l=full-disclosure&m=123990481506680&w=2	Exploit
https://exchange.xforce.ibmcloud.com/vulnerabilities/50358

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:razorcms:razorcms:0.3:rc2::::::
	cpe:2.3:a:razorcms:razorcms:0.2:::::::*
	cpe:2.3:a:razorcms:razorcms::::::::

Information

Published : 2009-04-28 09:30

Updated : 2017-08-16 18:30

NVD link : CVE-2009-1462

Mitre link : CVE-2009-1462

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Advertisement

Products Affected

razorcms

razorcms

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://razorcms.co.uk/support/viewtopic.php?f=13&t=325", "name": "http://razorcms.co.uk/support/viewtopic.php?f=13&t=325", "tags": ["Exploit", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/34566", "name": "34566", "tags": ["Exploit"], "refsource": "BID"}, {"url": "http://marc.info/?l=full-disclosure&m=123998062108561&w=2", "name": "20090416 [follow-up] razorCMS - Multiple Vulnerabilities", "tags": ["Exploit"], "refsource": "FULLDISC"}, {"url": "http://marc.info/?l=full-disclosure&m=123990481506680&w=2", "name": "20090416 razorCMS - Multiple Vulnerabilities", "tags": ["Exploit"], "refsource": "FULLDISC"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50358", "name": "razorcms-security-manager-unspecified(50358)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The Security Manager in razorCMS before 0.4 does not verify the permissions of every file owned by the apache user account, which is inconsistent with the documentation and allows local users to have an unspecified impact."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-264"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2009-1462", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "HIGH", "acInsufInfo": true, "impactScore": 10.0, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2009-04-28T16:30Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:razorcms:razorcms:0.3:rc2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:razorcms:razorcms:0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:razorcms:razorcms:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "0.3"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-08-17T01:30Z"}