Execution After Redirect (EAR), Missing Authentication for Critical Function vulnerability in Inrove Software and Internet Services BiEticaret CMS allows Authentication Bypass, HTTP Response Splitting. This issue affects BiEticaret CMS: from 2.1.13 through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
The vulnerability results from two related weaknesses: CWE-306 (missing authentication for critical function) and CWE-698 (Execution After Redirect). The EAR mechanism works by the application sending a redirect response to the user, but simultaneously continuing to execute server-side code — before the client is actually redirected. An attacker can thereby gain access to protected resources or functions without needing a valid session. Additionally, HTTP Response Splitting is possible, which can lead to injection of malicious HTTP headers.
A remote, unauthenticated attacker can bypass authorization mechanisms, gain access to protected administrative functions, and potentially take control of the application — violating the confidentiality, integrity, and availability of the system.
Patches available from the manufacturer should be applied according to the references. Note: the manufacturer (Inrove Software and Internet Services) did not respond to the vulnerability report before its disclosure — in case of no official patch, it is recommended to consider temporarily disconnecting the system from the Internet or implementing firewall rules blocking unauthorized access to critical application paths until an update is released.
BiEticaret CMS in versions from 2.1.13 to 19022026 (inclusive).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H