Vulnerability Details : CVE-2008-7214
Cross-site request forgery (CSRF) vulnerability in administrator/index2.php in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to hijack the authentication of administrators for requests that add new administrator accounts via the save task in a com_users action, as demonstrated using a separate XSS vulnerability in mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php.
Vulnerability category: Cross site scripting (XSS)Cross-site request forgery (CSRF)
Products affected by CVE-2008-7214
- cpe:2.3:a:mambo-foundation:mambo:*:*:*:*:*:*:*:*
- cpe:2.3:a:mambo-foundation:mambo:4.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:brilaps:mostlyce:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-7214
0.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-7214
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2008-7214
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2008-7214
-
http://www.bugreport.ir/index_33.htm
Exploit
-
http://www.securityfocus.com/archive/1/487128/100/200/threaded
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/39985
-
http://www.vupen.com/english/advisories/2008/0325
Vendor Advisory
-
http://archives.neohapsis.com/archives/bugtraq/2008-02/0444.html
-
http://forum.mambo-foundation.org/showthread.php?t=10158
Jump to