PT-2009-5863 · Sql Ledger+1 · Sql-Ledger+1
Published
2009-12-23
·
Updated
2018-10-10
·
CVE-2009-3580
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
SQL-Ledger version 2.8.24
Description
A cross-site request forgery issue allows remote attackers to hijack user authentication for password change requests. This is achieved by manipulating the
login, new password, and confirm password parameters in a preferences action.Recommendations
For SQL-Ledger version 2.8.24, consider disabling the password change functionality via the preferences action until a patch is available. Restrict access to the affected
am.pl script to minimize the risk of exploitation. Avoid using the login, new password, and confirm password parameters in the preferences action until the issue is resolved.Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Sql-Ledger