Description
Episerver CMS is a ASP.NET web content management system and digital marketing suite.
Ektron CMS 9.20 SP2 (and older versions) allows remote attackers to access administrative pages such as (/WorkArea/activateuser.aspx) without authentication by faking the Referer HTTP header.
Remediation
Upgrade to the latest version of Ektorn CMS. This vulnerability was patched with EKTR-508 (Security enhancement for re-enabling a user).
References
Related Vulnerabilities
TeamCity Authentication Bypass (CVE-2024-27198)
WordPress Plugin WooCommerce Blocks Security Bypass (3.7.0)
WordPress Plugin MailUp newsletter sign-up form Security Bypass (1.3.2)
WordPress Plugin ND Shortcodes For Visual Composer Security Bypass (5.8)
WordPress Plugin Cryptocurrency Donation Box-Bitcoin & Crypto Donations Security Bypass (1.7)