cbcvebase.
CVE-2018-12596
published 2018-10-10

CVE-2018-12596: Episerver Ektron CMS before 9.0 SP3 Site CU 31, 9.1 before SP3 Site CU 45, or 9.2 before SP2 Site CU 22 allows remote attackers to call aspx pages via the…

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
22.38%
97.4th percentile
Episerver Ektron CMS before 9.0 SP3 Site CU 31, 9.1 before SP3 Site CU 45, or 9.2 before SP2 Site CU 22 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).

Affected

3 ranges
VendorProductVersion rangeFixed in
episerverektron_cms
episerverektron_cms
episerverektron_cms

Detection & IOCsextracted from sources · hover to see the quote

path/WorkArea/activateuser.aspx
urlhttps://ektronserver.com/WorkArea/activateuser.aspx
otherReferer: ALEX;
  • Detect exploitation attempts by monitoring HTTP GET requests to /WorkArea/activateuser.aspx that receive a 200 OK response — normally this path returns 403 Forbidden for non-local users.
  • Alert on HTTP requests to /WorkArea/activateuser.aspx containing a malformed or arbitrary Referer header (e.g., 'Referer: ALEX;'), as this is the bypass mechanism that causes the server to return 200 OK instead of 403.
  • Monitor for GET requests to any path under /WorkArea/ from external/non-local IP addresses, particularly those resulting in 200 responses, as this path is normally restricted exclusively to local admins.
  • ·The access restriction bypass is triggered specifically by the presence of a Referer header with an arbitrary/malformed value (e.g., 'ALEX;'). The vulnerability is in how the CMS evaluates the Referer header to gate access to /WorkArea/ pages, meaning any non-empty Referer value may bypass the restriction.
  • ·The vulnerability affects Ektron CMS versions before 9.0 SP3 Site CU 31, 9.1 before SP3 Site CU 45, and 9.2 before SP2 Site CU 22. Patch ID EKTR-508 addresses this issue.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.