CVE-2010-0637

Multiple cross-site request forgery (CSRF) vulnerabilities in WebCalendar 1.2.0, and other versions before 1.2.5, allow remote attackers to hijack the authentication of administrators for requests that (1) delete an event or (2) ban an IP address from posting via unknown vectors. NOTE: some of these details are obtained from third party information.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://holisticinfosec.org/content/view/133/45/
http://secunia.com/advisories/38222	Vendor Advisory
http://webcalendar.cvs.sourceforge.net/viewvc/webcalendar/webcalendar/ChangeLog?pathrev=REL_1_2

Configurations

Configuration 1 (hide)

cpe:2.3:a:k5n:webcalendar:1.2.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2010-02-12 22:30

Updated : 2024-02-04 17:54

NVD link : CVE-2010-0637

Mitre link : CVE-2010-0637

CVE.ORG link : CVE-2010-0637

JSON object : View

Products Affected

k5n

webcalendar

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2010-0637", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2010-02-12T22:30:00.610", "references": [{"url": "http://holisticinfosec.org/content/view/133/45/", "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/38222", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://webcalendar.cvs.sourceforge.net/viewvc/webcalendar/webcalendar/ChangeLog?pathrev=REL_1_2", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in WebCalendar 1.2.0, and other versions before 1.2.5, allow remote attackers to hijack the authentication of administrators for requests that (1) delete an event or (2) ban an IP address from posting via unknown vectors. NOTE: some of these details are obtained from third party information."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de tipo cross-site request forgery (CSRF) en WebCalendar versi\u00f3n 1.2.0, y otras versiones anteriores a 1.2.5, permiten a los atacantes remotos secuestrar la identificaci\u00f3n de administradores para las peticiones que (1) eliminan un evento o (2) proh\u00edben una direcci\u00f3n IP de publicaci\u00f3n por medio de vectores desconocidos. NOTA: algunos de estos datos fueron obtenidos de la informaci\u00f3n de terceros."}], "lastModified": "2012-10-13T02:58:03.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:k5n:webcalendar:1.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E565A5E0-13BA-4D89-AC5E-EA5309E9ED81"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}