Podatność CVE-2008-0807


Publikacja: 2008-02-18   Modyfikacja: 2012-02-12

Opis:
lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book.

Typ:

CWE-264

(Permissions, Privileges, and Access Controls)

CVSS2 => (AV:N/AC:M/Au:S/C:P/I:P/A:N)

Ogólna skala CVSS
Znaczenie
Łatwość wykorzystania
4.9/10
4.9/10
6.8/10
Wymagany dostęp
Złożoność ataku
Autoryzacja
Zdalny
Średnia
Jednorazowa
Wpływ na poufność
Wpływ na integralność
Wpływ na dostępność
Częściowy
Częściowy
Brak
Affected software
Horde -> Groupware 
Horde -> Groupware webmail edition 
Horde -> Turba contact manager 

 Referencje:
http://www.securityfocus.com/bid/27844
http://lists.horde.org/archives/announce/2008/000381.html
http://lists.horde.org/archives/announce/2008/000380.html
http://lists.horde.org/archives/announce/2008/000379.html
http://lists.horde.org/archives/announce/2008/000378.html
http://www.vupen.com/english/advisories/2008/0593/references
http://secunia.com/advisories/28982
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00927.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00888.html
https://bugzilla.redhat.com/show_bug.cgi?id=432027
http://www.securitytracker.com/id?1019433
http://www.debian.org/security/2008/dsa-1507
http://secunia.com/advisories/29186
http://secunia.com/advisories/29185
http://secunia.com/advisories/29184
http://secunia.com/advisories/29071

Copyright 2024, cxsecurity.com

 

Back to Top