CVE-2019-11018

CRITICAL

ThinkAdmin V4.0 - Improper Authentication via Persistent Cookie

Title source: llm

Description

application\admin\controller\User.php in ThinkAdmin V4.0 does not prevent continued use of an administrator's cookie-based credentials after a password change.

References (1)

Core 1

Core References

Exploit, Issue Tracking, Third Party Advisory x_refsource_misc

https://github.com/zoujingli/ThinkAdmin/issues/173

Scores

CVSS v3 9.8

EPSS 0.0139

EPSS Percentile 68.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (2)

thinkadmin/thinkadmin 4.0

zoujingli/thinkadmin Packagist

Published Apr 08, 2019

Tracked Since Feb 18, 2026