Vulnerability CVE-2012-1297

See in [MITRE] [NVD]
Search:
WLB2

CVE WLB2

WLB2.ORG
Full List
Bugs
Bogus
Tricks
Exploits
CVEMAP.ORG
Full List
Vendors
Products
Tools
CWE Dictionary
Dorks List
cIFrex
Search
Bugtraq
CVEMAP
CVE Id
CWE Id
RSS
Full List
Bugs
Exploits
Dorks
Information
Add note
About
Submit

To add a note,

use this form

or send email to

submit@cxsec.org
Social

TwitterFacebook

Vulnerability CVE-2012-1297


Published: 2012-03-19   Modified: 2012-03-20

Description:
Multiple cross-site request forgery (CSRF) vulnerabilities in main.php in Contao (formerly TYPOlight) 2.11.0 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) delete users via a delete action in the user module, (2) delete news via a delete action in the news module, or (3) delete newsletters via a delete action in the newsletters module.

See advisories in our WLB2 database:
Topic
Author
Date
Low Risk
ContaoCMS 2.11.0 Cross Site Request Forgery
Ivano Binetti
27.02.2012


Type:
CWE-352 (Cross-Site Request Forgery (CSRF))

Vendor: Contao
Product: Contao cms 
Version:
2.9.5
2.9.4
2.9.3
2.9.2
2.9.1
2.9.0
2.9
2.8.4
2.8.3
2.8.2
2.8.1
2.8.0
2.8
2.7.7
2.7.6
2.7.5
2.7.4
2.7.3
2.7.2
2.7.1
2.7.0
2.7
2.6.8
2.6.7
2.6.6
2.6.5
2.6.4
2.6.3
2.6.2
2.6.1
2.6.0
2.6
2.5.9
2.5.8
2.5.7
2.5.6
2.5.5
2.5.4
2.5.3
2.5.2
2.5.1
2.5.0
2.5
2.4.7
2.4.6
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.4
2.3.4
2.3.3
2.3.2
2.3.1
2.3.0
2.2.9
2.2.8
2.2.7
2.2.6
2.2.5
2.2.4
2.2.3
2.2.2
2.2.12
2.2.11
2.2.10
2.2.1
2.2.0
2.11.0
2.10.4
2.10.3
2.10.2
2.10.1
2.10.0
2.10.
2.1.9
2.1.8
2.1.7
2.1.6
2.1.5
2.1.4
2.1.3
2.1.20
2.1.2
2.1.19
2.1.18
2.1.17
2.1.16
2.1.15
2.1.14
2.1.13
2.1.12
2.1.11
2.1.10
2.1.1
2.1.0
2.0

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

References:
http://xforce.iss.net/xforce/xfdb/73479
http://www.exploit-db.com/exploits/18527
http://secunia.com/advisories/48180
http://packetstormsecurity.org/files/110214/ContaoCMS-2.11.0-Cross-Site-Request-Forgery.html
http://ivanobinetti.blogspot.com/2012/02/contaocms-fka-typolight-211-csrf-delete.html
Copyright 2013, cxsecurity.com