CVE-2012-5004

Name of the Vulnerable Software and Affected Versions Parallels H-Sphere version 3.3 Patch 1

Description The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow remote attackers to hijack the authentication of admins for specific requests, including adding group plans via "admin/group plans.html" and adding extra packages via "admin/extra packs/create extra pack.html".

Recommendations For Parallels H-Sphere version 3.3 Patch 1, as a temporary workaround, consider restricting access to the "admin/group plans.html" and "admin/extra packs/create extra pack.html" endpoints until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.