CVE-2007-3688

Name of the Vulnerable Software and Affected Versions DotClear version 1.2.6

Description The issue allows remote attackers to perform actions as arbitrary users. This is achieved through multiple cross-site request forgery (CSRF) vulnerabilities. Specifically, the tool url parameter to ecrire/tools.php and multiple fields on the blogconf, blogroll, ecrire/redacteur.php, and ecrire/user prefs.php pages are vulnerable.

Recommendations For DotClear version 1.2.6, as a temporary workaround, consider restricting access to the ecrire/tools.php page and the vulnerable fields on the blogconf, blogroll, ecrire/redacteur.php, and ecrire/user prefs.php pages to minimize the risk of exploitation. Avoid using the tool url parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.