Ektron Content Management System (CMS) 9.20 SP2, remote re-enabling users (CVE-2018–12596)
Switch branches/tags
Nothing to show
Clone or download
Latest commit 09d80b9 Oct 11, 2018
Failed to load latest commit information.
CVE-2018-12596.txt Update CVE-2018-12596.txt Oct 11, 2018
LICENSE Initial commit Jun 21, 2018
README.md Update README.md Oct 11, 2018



Ektron CMS 9.20 SP2 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).

Exploit-DB publication at https://www.exploit-db.com/exploits/45577/
PacketStorm publication at https://packetstormsecurity.com/files/149734/Ektron-CMS-9.20-SP2-Improper-Access-Restrictions.html


2018–06–08: Discovered
2018–06–11: Retest staging environment
2018–06–12: Restes live environment
2018–06–19: Internal communication
2018–06–21: Vendor notification
2018–06–21: Vendor feedback
2018–06–29: Vendor feedback product will be patched
2018–06–29: Patch available
2018–06–29: Agrements with the vendor to publish the CVE/Advisory
2018–07–30: Internal communication
2018–09–15: Patches tested on LAB environment
2018–10–08: Public report

Episerver (Ektron Product 9.20 SP2) Patch and credits:


vendor_patch_29 jun 18


Alex Hernandez aka (@_alt3kx_)
My current exploit list @exploit-db: https://www.exploit-db.com/author/?a=1074
CVE-2018-12596 with sexy screens here: https://medium.com/@alt3kx