| |
Vulnerability CVE-2013-5726
Published: 2013-11-12
| Description: |
Tweetbot 1.3.3 for Mac, and 2.8.5 for iPad and iPhone, does not require confirmation of (1) follow or (2) favorite actions, which allows remote attackers to automatically force the user to perform undesired actions, as demonstrated via the tweetbot:///follow/ URL. |
Type:
CWE-352 (Cross-Site Request Forgery (CSRF))
CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)
| CVSS Base Score |
Impact Subscore |
Exploitability Subscore |
6.8/10 |
6.4/10 |
8.6/10 |
| Exploit range |
Attack complexity |
Authentication |
Remote |
Medium |
No required |
| Confidentiality impact |
Integrity impact |
Availability impact |
Partial |
Partial |
Partial |
References: |
http://seclists.org/fulldisclosure/2013/Nov/9
http://osvdb.org/99256
http://blog.binaryfactory.ca/2013/11/cve-2013-5726-tweetbot-for-ios-and-mac-user-disclosureprivacy-issue/
|
|
|
Copyright 2024, cxsecurity.com
|
|
|
