Lucene search

[email protected]CVE-2015-1424

HistoryJan 29, 2015 - 3:59 p.m.

CVE-2015-1424

2015-01-2915:59:03

CWE-352

[email protected]

web.nvd.nist.gov

cve-2015-1424

cross-site request forgery

csrf

gecko cms

remote attackers

authentication hijacking

administrator user

newuser request

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.3 High

AI Score

Confidence

Low

0.01 Low

EPSS

Percentile

83.7%

JSON

Cross-site request forgery (CSRF) vulnerability in Gecko CMS 2.2 and 2.3 allows remote attackers to hijack the authentication of administrators for requests that add an administrator user via a newuser request to admin/index.php.

Affected configurations

NVD

Node

jakwebgecko_cmsMatch2.2

jakwebgecko_cmsMatch2.3

CPENameOperatorVersion
jakweb:gecko_cmsjakweb gecko cmseq2.2
jakweb:gecko_cmsjakweb gecko cmseq2.3

CPE	Name	Operator	Version
jakweb:gecko_cms	jakweb gecko cms	eq	2.2
jakweb:gecko_cms	jakweb gecko cms	eq	2.3

References

osvdb.org/show/osvdb/116966

packetstormsecurity.com/files/129929/Gecko-CMS-2.2-2.3-CSRF-XSS-SQL-Injection.html

www.exploit-db.com/exploits/35767

www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5222.php

exchange.xforce.ibmcloud.com/vulnerabilities/99974

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.3 High

AI Score

Confidence

Low

0.01 Low

EPSS

Percentile

83.7%

JSON

Related for CVE-2015-1424

cvelist1 prion1 nvd1 zeroscience1