Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-rrmf-fpmm-jpwr

Опубликовано: 17 мая 2022
Источник: github
Github: Прошло ревью
CVSS3: 8.8

Описание

ViMbAdmin CSRF Vulnerabilities

Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to

  1. add an administrator user via a crafted POST request to <vimbadmin directory>/application/controllers/DomainController.php,
  2. remove an administrator user via a crafted GET request to <vimbadmin directory>/application/controllers/DomainController.php,
  3. change an administrator password via a crafted POST request to <vimbadmin directory>/application/controllers/DomainController.php,
  4. add a mailbox via a crafted POST request to <vimbadmin directory>/application/controllers/MailboxController.php,
  5. delete a mailbox via a crafted POST request to <vimbadmin directory>/application/controllers/MailboxController.php,
  6. archive a mailbox address via a crafted GET request to <vimbadmin directory>/application/controllers/ArchiveController.php,
  7. add an alias address via a crafted POST request to <vimbadmin directory>/application/controllers/AliasController.php, or
  8. remove an alias address via a crafted GET request to <vimbadmin directory>/application/controllers/AliasController.php.

Ссылки

Пакеты

Наименование

opensolutions/vimbadmin

composer
Затронутые версииВерсия исправления

<= 3.0.15

Отсутствует

EPSS

Процентиль: 38%
0.00168
Низкий

8.8 High

CVSS3

CVE ID

CVE-2017-6086

Дефекты

CWE-352

Связанные уязвимости

nvd логотип

CVE-2017-6086

CVSS3: 8.8
nvd
больше 8 лет назад

Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to (1) add an administrator user via a crafted POST request to <vimbadmin directory>/application/controllers/DomainController.php, (2) remove an administrator user via a crafted GET request to <vimbadmin directory>/application/controllers/DomainController.php, (3) change an administrator password via a crafted POST request to <vimbadmin directory>/application/controllers/DomainController.php, (4) add a mailbox via a crafted POST request to <vimbadmin directory>/application/controllers/MailboxController.php, (5) delete a mailbox via a crafted POST request to <vimbadmin directory>/application/controllers/MailboxController.php, (6) archive a mailbox address via a crafted GET request to <vimbadmin directory>/application/controllers/ArchiveController.php, (7) add an alias address via a crafted P

EPSS

Процентиль: 38%
0.00168
Низкий

8.8 High

CVSS3

CVE ID

CVE-2017-6086

Дефекты

CWE-352