CVE-2011-4452

Cross-site request forgery (CSRF) vulnerability in the AdminUsers component in WikkaWiki 1.3.1 and 1.3.2 allows remote attackers to hijack the authentication of administrators for requests that remove arbitrary user accounts via a delete operation, as demonstrated by an {{image}} action.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://wush.net/trac/wikka/changeset/1819	Exploit Patch
http://wush.net/trac/wikka/changeset/1832	Exploit Patch
http://wush.net/trac/wikka/ticket/1097
http://wush.net/trac/wikka/ticket/1098	Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:wikkawiki:wikkawiki:1.3.1:::::::*
	cpe:2.3:a:wikkawiki:wikkawiki:1.3.2:::::::*

History

No history.

Information

Published : 2012-09-05 20:55

Updated : 2024-02-04 18:16

NVD link : CVE-2011-4452

Mitre link : CVE-2011-4452

CVE.ORG link : CVE-2011-4452

JSON object : View

Products Affected

wikkawiki

wikkawiki

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2011-4452", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2012-09-05T20:55:01.287", "references": [{"url": "http://wush.net/trac/wikka/changeset/1819", "tags": ["Exploit", "Patch"], "source": "cve@mitre.org"}, {"url": "http://wush.net/trac/wikka/changeset/1832", "tags": ["Exploit", "Patch"], "source": "cve@mitre.org"}, {"url": "http://wush.net/trac/wikka/ticket/1097", "source": "cve@mitre.org"}, {"url": "http://wush.net/trac/wikka/ticket/1098", "tags": ["Exploit"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in the AdminUsers component in WikkaWiki 1.3.1 and 1.3.2 allows remote attackers to hijack the authentication of administrators for requests that remove arbitrary user accounts via a delete operation, as demonstrated by an {{image}} action."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de peticiones en sitios cruzados (CSRF) en el componente AdminUsers en WikkaWiki v1.3.1 y v1.3.2 permite a atacantes remotos secuestrar la autenticaci\u00f3n de los administradores de las peticiones que elimina cuentas de usuario arbitrarios a trav\u00e9s de una operaci\u00f3n de eliminaci\u00f3n, como lo demuestra un acci\u00f3n {{imagen }}."}], "lastModified": "2012-09-06T13:08:18.160", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wikkawiki:wikkawiki:1.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "63F5FD8C-02BB-4208-AEF8-11797376DA23"}, {"criteria": "cpe:2.3:a:wikkawiki:wikkawiki:1.3.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C44D576A-77E7-4E70-9E17-41E96A9A4A2A"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}