glFusion before 1.1.3 performs authentication with a user-provided password hash instead of a password, which allows remote attackers to gain privileges by obtaining the hash and using it in the glf_password cookie, aka "User Masquerading." NOTE: this can be leveraged with a separate SQL injection vulnerability to steal hashes.
Metrics
Affected Vendors & Products
References
History
No history.

Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-07T05:04:49.428Z
Reserved: 2009-04-09T00:00:00
Link: CVE-2009-1283

No data.

Status : Modified
Published: 2009-04-09T16:27:57.577
Modified: 2024-11-21T01:02:05.830
Link: CVE-2009-1283

No data.