CVE-2015-1559

Name of the Vulnerable Software and Affected Versions Epignosis eFront Open Source Edition versions prior to 3.6.15.3 build 18022

Description The issue allows remote attackers to hijack the authentication of administrators for various requests, including deleting, deactivating, or activating modules, users, themes, events, and language settings, as well as modifying the autologin feature. This is achieved through multiple cross-site request forgery (CSRF) vulnerabilities in the administrator.php file. The vulnerable parameters include delete module, deactivate module, activate module, delete user, deactivate user, activate user, set theme, delete, deactivate notification, activate notification, delete notification, deactivate language, activate language, delete language, and parameters related to the autologin feature.

Recommendations For Epignosis eFront Open Source Edition versions prior to 3.6.15.3 build 18022, update to version 3.6.15.3 build 18022 or later to resolve the issue. As a temporary workaround, consider restricting access to the administrator.php file and its associated parameters to minimize the risk of exploitation. Avoid using the vulnerable parameters until the issue is resolved.