PT-2015-7692 · Horde · Horde Groupware Webmail Edition+2
Publicado
2015-11-03
·
Atualizado
2021-05-19
·
CVE-2015-7984
CVSS v2.0
6.8
Média
| Vetor | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Horde versions prior to 5.2.8
Horde Groupware versions prior to 5.2.11
Horde Groupware Webmail Edition versions prior to 5.2.11
Description
Multiple cross-site request forgery (CSRF) issues allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary commands, SQL queries, or PHP code. This is achieved via the
cmd parameter to "admin/cmdshell.php", the sql parameter to "admin/sqlshell.php", or the php parameter to "admin/phpshell.php".Recommendations
For Horde versions prior to 5.2.8, update to version 5.2.8 or later.
For Horde Groupware versions prior to 5.2.11, update to version 5.2.11 or later.
For Horde Groupware Webmail Edition versions prior to 5.2.11, update to version 5.2.11 or later.
As a temporary workaround, consider restricting access to the "admin/cmdshell.php", "admin/sqlshell.php", and "admin/phpshell.php" endpoints until a patch is applied.
Exploit
Correção
CSRF
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Horde
Horde Groupware
Horde Groupware Webmail Edition