CVE-2011-5298

Name of the Vulnerable Software and Affected Versions Argyle Social version 2011-04-26

Description The issue allows remote attackers to hijack the authentication of administrators for requests. This can be achieved through multiple cross-site request forgery (CSRF) vulnerabilities. Specifically, the vulnerabilities exist in requests that modify credentials via the role parameter to the "users/create/" endpoint, modify rules via the terms field in stream filter rule JSON data to the "settings-ajax/stream filter rules/create" endpoint, or modify efforts via the title field in effort JSON data to the "publish-ajax/efforts/create" endpoint.

Recommendations For Argyle Social version 2011-04-26, as a temporary workaround, consider disabling the "users/create/", "settings-ajax/stream filter rules/create", and "publish-ajax/efforts/create" endpoints until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. Avoid using the role, terms, and title parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.