2 matches found
CVE-2012-2316
Cross-site request forgery CSRF vulnerability in servlet/admin/AuthServlet.java in OpenKM 5.1.7 and other versions before 5.1.8-2 allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary code via the script parameter to admin/scripting.jsp...
CVE-2012-2315
OpenKM 5.1.7 and earlier versions (before 5.1.8-2) suffer a privilege-escillation flaw in admin/Auth: the system does not properly enforce privileges for changing user roles via the userEdit action. Remote authenticated users can assign administrator privileges to arbitrary users. Root cause: imp...