Lucene search

[email protected]CVE-2015-6973

HistorySep 16, 2015 - 7:59 p.m.

CVE-2015-6973

2015-09-1619:59:01

CWE-352

[email protected]

web.nvd.nist.gov

cve-2015-6973

ignite realtime openfire

csrf

cross-site request forgery

security vulnerability

nvd

7.2 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.945 High

EPSS

Percentile

99.2%

JSON

Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontrol/permitted-clients.jsp.

Affected configurations

NVD

Node

igniterealtimeopenfireMatch3.10.2

CPENameOperatorVersion
igniterealtime:openfireigniterealtime openfireeq3.10.2

CPE	Name	Operator	Version
igniterealtime:openfire	igniterealtime openfire	eq	3.10.2

References

hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt

packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html

www.securityfocus.com/archive/1/536470/100/0/threaded

security.gentoo.org/glsa/201612-50

www.exploit-db.com/exploits/38192/

7.2 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.945 High

EPSS

Percentile

99.2%

JSON

Related for CVE-2015-6973

packetstorm1 cvelist1 nvd1 prion1 checkpoint_advisories3 nessus1 openvas1 gentoo1 archlinux1