CVE-2020-26167: 
Fuel CMS vulnerability analysis and mitigation

In FUEL CMS version 11.4.12 and earlier, a critical vulnerability was discovered where the page preview feature allows an anonymous user to take complete ownership of any account, including administrator accounts. The vulnerability was discovered on September 20, 2020, and was assigned CVE-2020-26167. The affected software is FUEL CMS, a CodeIgniter-based content management system (Excellium Advisory).

The vulnerability received a CVSS v3.1 base score of 9.8 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level. This scoring reflects that the vulnerability can be exploited remotely without requiring privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability (NVD).

The vulnerability allows an unauthenticated attacker to gain complete control over any user account in the system, including administrator accounts. This level of access could potentially lead to complete system compromise, as administrator accounts typically have full control over the CMS and its content (Excellium Advisory).

The vulnerability has been patched in FUEL CMS version 11.4.13. Users are advised to upgrade to this version or later to protect against this security issue (Excellium Advisory).