CVE-2021-26600

Description

ImpressCMS before 1.4.3 has plugins/preloads/autologin.php type confusion with resultant Authentication Bypass (!= instead of !==).

How to fix CVE-2021-26600

To remediate CVE-2021-26600, upgrade the affected package to a fixed version below.

• Packagist/impresscms/impresscms—upgrade to 1.4.3 or later

Is CVE-2021-26600 being exploited?

Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.4.3

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-26600
• PATCHgithub.com/ImpressCMS/impresscms
• WEBkarmainsecurity.com/KIS-2022-01
• WEBpacketstormsecurity.com/files/166393/ImpressCMS-1.4.2-Authentication-Bypass.html
• WEB