Lucene search

[email protected]CVE-2009-3248

HistorySep 18, 2009 - 8:30 p.m.

CVE-2009-3248

2009-09-1820:30:00

CWE-352

[email protected]

web.nvd.nist.gov

cve

2009

3248

cross-site request forgery

csrf

vulnerability

vtiger crm

rss module

hijack

authentication

admin users

news feed system

rssurl parameter

index.php

7.9 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.032 Low

EPSS

Percentile

91.2%

JSON

Cross-site request forgery (CSRF) vulnerability in the RSS module in vtiger CRM 5.0.4 allows remote attackers to hijack the authentication of Admin users for requests that modify the news feed system via the rssurl parameter in a Save action to index.php.

CPENameOperatorVersion
vtiger:vtiger_crmvtiger vtiger crmeq5.0.4

CPE	Name	Operator	Version
vtiger:vtiger_crm	vtiger vtiger crm	eq	5.0.4

References

marc.info/?l=bugtraq&m=125060676515670&w=2

secunia.com/advisories/36309

www.exploit-db.com/exploits/9450

www.osvdb.org/57238

www.securityfocus.com/bid/36062

www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/

www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt

www.vupen.com/english/advisories/2009/2319

7.9 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.032 Low

EPSS

Percentile

91.2%

JSON

Related for CVE-2009-3248

prion1 cvelist1