CVE-2017-6086

Name of the Vulnerable Software and Affected Versions ViMbAdmin version 3.0.15

Description The issue allows remote attackers to hijack the authentication of logged administrators. This can be achieved through multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions. The vulnerabilities enable attackers to perform various actions, including adding or removing administrator users, changing administrator passwords, adding or deleting mailboxes, archiving mailbox addresses, and adding or removing alias addresses. These actions can be initiated via crafted requests to specific API endpoints, such as <vimbadmin directory>/application/controllers/DomainController.php, <vimbadmin directory>/application/controllers/MailboxController.php, <vimbadmin directory>/application/controllers/ArchiveController.php, and <vimbadmin directory>/application/controllers/AliasController.php.

Recommendations For ViMbAdmin version 3.0.15, consider disabling the addAction and purgeAction functions as a temporary workaround until a patch is available. Restrict access to the vulnerable API endpoints, such as <vimbadmin directory>/application/controllers/DomainController.php, <vimbadmin directory>/application/controllers/MailboxController.php, <vimbadmin directory>/application/controllers/ArchiveController.php, and <vimbadmin directory>/application/controllers/AliasController.php, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.