CVE-2012-2315

OpenKM <5.1.8-2 - Privilege Escalation

Title source: llm

Description

admin/Auth in OpenKM 5.1.7 and other versions before 5.1.8-2 does not properly enforce privileges for changing user roles, which allows remote authenticated users to assign administrator privileges to arbitrary users via the userEdit action.

Exploits (1)

exploitdb WORKING POC

webappsjsp

https://www.exploit-db.com/exploits/18888

View Code ZIP pw:eip

References (11)

[Third Party Advisory] http://archives.neohapsis.com/archives/bugtraq/2012-01/0007.html

[Third Party Advisory] http://archives.neohapsis.com/archives/bugtraq/2012-01/0021.html

[Third Party Advisory, VDB Entry] http://osvdb.org/78105

[Vendor Advisory] http://secunia.com/advisories/47424

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/51250

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/72112

[Mailing List] http://www.openwall.com/lists/oss-security/2012/03/23/6

[Mailing List] http://www.openwall.com/lists/oss-security/2012/03/23/8

[Mailing List] http://www.openwall.com/lists/oss-security/2012/04/27/6

[Mailing List] http://www.openwall.com/lists/oss-security/2012/05/04/13

[Mailing List] http://www.openwall.com/lists/oss-security/2012/05/04/2

Scores

EPSS 0.0834

EPSS Percentile 92.3%

Details

CWE

CWE-264

Status published

Products (2)

openkm/openkm 5.1.8

openkm/openkm < 5.1.7

Published Sep 09, 2012

Tracked Since Feb 18, 2026