Vulnerability CVE-2012-1498

Vulnerability CVE-2012-1498

Published: 2012-03-19

Description:

Multiple cross-site request forgery (CSRF) vulnerabilities in Webfolio CMS 1.1.4 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via an add action to admin/users/add or (2) modify a web page via a save action to admin/pages/edit/web_page_name.

See advisories in our WLB2 database:

	Topic	Author	Date
Low	WebfolioCMS <= 1.1.4 CSRF (Add Admin/Modify Pages)	Ivano Binetti	21.03.2012

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
6.8/10	6.4/10	8.6/10

Exploit range	Attack complexity	Authentication
Remote	Medium	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
Nikola posa -> Webfoliocms1.0.4
Nikola posa -> Webfoliocms1.0.5
Nikola posa -> Webfoliocms1.0.6
Nikola posa -> Webfoliocms1.0.7
Nikola posa -> Webfoliocms1.0.8
Nikola posa -> Webfoliocms1.0.9
Nikola posa -> Webfoliocms1.1.0
Nikola posa -> Webfoliocms1.1.1
Nikola posa -> Webfoliocms1.1.2
Nikola posa -> Webfoliocms1.1.3
Nikola posa -> Webfoliocms1.1.4
Nikola posa -> Webfoliocms1.0.2
Nikola posa -> Webfoliocms1.0.3
Alokin87 -> Webfoliocms1.0.2
Alokin87 -> Webfoliocms1.0.3
Alokin87 -> Webfoliocms1.0.4
Alokin87 -> Webfoliocms1.0.5
Alokin87 -> Webfoliocms1.0.6
Alokin87 -> Webfoliocms1.0.7
Alokin87 -> Webfoliocms1.0.8
Alokin87 -> Webfoliocms1.0.9
Alokin87 -> Webfoliocms1.1.0
Alokin87 -> Webfoliocms1.1.1
Alokin87 -> Webfoliocms1.1.2
Alokin87 -> Webfoliocms1.1.3
Alokin87 -> Webfoliocms1.1.4

References:

http://xforce.iss.net/xforce/xfdb/73575

http://www.securityfocus.com/bid/52218

http://www.exploit-db.com/exploits/18536

http://secunia.com/advisories/48190

http://packetstormsecurity.org/files/110294/WebfolioCMS-1.1.4-Cross-Site-Request-Forgery.html

http://osvdb.org/79658

http://ivanobinetti.blogspot.com/2012/02/webfoliocms-114-csrf-add-adminmodify.html

Copyright 2024, cxsecurity.com