PT-2018-9404 · Metronet · Metronet Tag Manager

Mallory Adams

Published

2018-06-26

Updated

2018-08-30

CVE-2018-1000506

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Metronet Tag Manager versions 1.2.7 through 1.2.8

Description The issue is a Cross-Site Request Forgery (CSRF) vulnerability located in the Settings page at the "/wp-admin/options-general.php?page=metronet-tag-manager" endpoint. This vulnerability can be exploited when a logged-in user follows a malicious link, potentially allowing an attacker to perform actions with admin privileges.

Recommendations For Metronet Tag Manager versions 1.2.7 through 1.2.8, update to version 1.2.9 to resolve the issue.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2018-1000506

Affected Products

Metronet Tag Manager

PT-2018-9404 · Metronet · Metronet Tag Manager

CVE-2018-1000506

Weakness Enumeration

Related Identifiers

Affected Products

References · 3