Description
Joovili 3.1.4 allows remote attackers to bypass authentication and gain privileges as other users, including the administrator, by setting the (1) session_id, session_logged_in, and session_username cookies for user privileges; (2) session_admin_id, session_admin_username, and session_admin cookies for admin privileges; and (3) session_staff_id, session_staff_username, and session_staff cookies for staff users.
Exploits (1)
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/46272
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/32491
Exploit, Third Party Advisory exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/6955
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/32058
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/2978
Scores
EPSS
0.0249
EPSS Percentile
85.4%
Details
CWE
CWE-287
Status
published
Products (1)
joovili/joovili
3.1.4
Published
Feb 25, 2009
Tracked Since
Feb 18, 2026