CVE-2014-9148

CRITICAL

Fiyo CMS 2.0.1.8 - Auth Bypass

Title source: llm

Description

Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.

Exploits (1)

exploitdb WORKING POC

by Mahendra · textwebappsphp

https://www.exploit-db.com/exploits/36581

View Code ZIP pw:eip

References (3)

[Exploit, Issue Tracking, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/131165/FiyoCMS-2.0.1.8-XSS-SQL-Injection-URL-Bypass.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/73437

[Exploit, Issue Tracking, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/36581/

Scores

CVSS v3 9.8

EPSS 0.2423

EPSS Percentile 96.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-284

Status published

Products (1)

fiyo/fiyo_cms < 2.0.1.8

Published Oct 16, 2017

Tracked Since Feb 18, 2026