PT-2014-3006 · Openx · Openx
Mahmoud Ghorbanzadeh
·
Publicado
2014-04-25
·
Atualizado
2018-10-09
·
CVE-2013-5954
CVSS v2.0
6.8
Média
| Vetor | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
OpenX versions 2.8.11 and earlier
Description
The issue allows remote attackers to hijack the authentication of administrators for requests that delete various components, including users, advertisers, banners, campaigns, channels, affiliate websites, or zones, via multiple cross-site request forgery (CSRF) vulnerabilities. This is achieved through unauthorized access to specific API endpoints, such as "admin/agency-user-unlink.php", "admin/advertiser-delete.php", "admin/banner-delete.php", "admin/campaign-delete.php", "admin/channel-delete.php", "admin/affiliate-delete.php", or "admin/zone-delete.php".
Recommendations
For OpenX versions 2.8.11 and earlier, update to a version that includes a fix for this issue to prevent CSRF attacks.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
CSRF
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openx