CVE Vulnerabilities

CVE-2009-1283

Published: Apr 09, 2009 | Modified: Sep 29, 2017
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

glFusion before 1.1.3 performs authentication with a user-provided password hash instead of a password, which allows remote attackers to gain privileges by obtaining the hash and using it in the glf_password cookie, aka User Masquerading. NOTE: this can be leveraged with a separate SQL injection vulnerability to steal hashes.

Affected Software

Name Vendor Start Version End Version
Glfusion Glfusion * 1.1.2 (including)
Glfusion Glfusion 1.0.0 (including) 1.0.0 (including)
Glfusion Glfusion 1.0.0-rc1 (including) 1.0.0-rc1 (including)
Glfusion Glfusion 1.0.0-rc2 (including) 1.0.0-rc2 (including)
Glfusion Glfusion 1.0.1 (including) 1.0.1 (including)
Glfusion Glfusion 1.0.2 (including) 1.0.2 (including)
Glfusion Glfusion 1.1.0 (including) 1.1.0 (including)
Glfusion Glfusion 1.1.0-rc1 (including) 1.1.0-rc1 (including)
Glfusion Glfusion 1.1.1 (including) 1.1.1 (including)

References