CVE-2013-7376

Name of the Vulnerable Software and Affected Versions OpenX versions 2.8.10 and possibly prior to revision 82710

Description The issue allows remote attackers to hijack the authentication of administrators. This can be achieved through requests that conduct directory traversal attacks via the group parameter to API endpoints such as "plugin-preferences.php" or "plugin-settings.php" in the www/admin directory.

Recommendations For OpenX versions 2.8.10 and possibly prior to revision 82710, consider restricting access to the "plugin-preferences.php" and "plugin-settings.php" files in the www/admin directory to minimize the risk of exploitation. Avoid using the group parameter in these API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.