Miggo Logo

CVE-2015-5640: baserCMS Access Control Bypass

N/A

CVSS Score

Basic Information

EPSS Score
0.62363%
CWE
-
Published
5/13/2022
Updated
8/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
baserproject/basercmscomposer<= 3.0.73.0.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description indicates improper access control in user settings modification. In MVC frameworks like baserCMS, user management typically resides in UsersController. The admin_edit action would handle user profile updates. The vulnerability suggests this endpoint didn't properly validate if the authenticated user had rights to modify the target user ID (likely passed via request parameters), enabling ID manipulation attacks. The CWE-264 classification and 'crafted request' reference support this pattern. While exact code isn't available, this matches common access control flaws in CMS user management components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*r*MS ***or* *.*.* *llows r*mot* *ut**nti**t** us*rs to mo*i*y *r*itr*ry us*r s*ttin*s vi* * *r**t** r*qu*st.

Reasoning

T** vuln*r**ility **s*ription in*i**t*s improp*r ****ss *ontrol in us*r s*ttin*s mo*i*i**tion. In MV* *r*m*works lik* **s*r*MS, us*r m*n***m*nt typi**lly r*si**s in Us*rs*ontroll*r. T** **min_**it **tion woul* **n*l* us*r pro*il* up**t*s. T** vuln*r*