CVE-2011-3994 : Cross-site request forgery (CSRF) vulnerability in SKYARC MTCMS before 5.252, an

Cross-site request forgery (CSRF) vulnerability in SKYARC MTCMS before 5.252, and the MultiFileUploader 0.44 and earlier, DuplicateEntry 1.2 and earlier, MailPack 1.741 and earlier, and AutoTagging 0.08 and earlier plugins for Movable Type, allows remote attackers to hijack the authentication of arbitrary users for requests that modify data.

Published 2011-11-03 17:55:02

Updated 2011-11-16 05:00:00

Source JPCERT/CC

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2011-3994

Skyarc » Mtcms
Versions up to, including, (<=) 5.251
cpe:2.3:a:skyarc:mtcms:*:*:*:*:*:*:*:*
Matching versions
Skyarc » Mtcms » Version: 5.24
cpe:2.3:a:skyarc:mtcms:5.24:*:*:*:*:*:*:*
Matching versions
Skyarc » Mtcms » Version: 5.24 Smart Edition
cpe:2.3:a:skyarc:mtcms:5.24:*:smart:*:*:*:*:*
Matching versions
Skyarc » Mtcms » Version: 5.251 Enterprise Edition
cpe:2.3:a:skyarc:mtcms:5.251:*:enterprise:*:*:*:*:*
Matching versions
Skyarc » Mtcms » Version: 5.251 Smart Edition
cpe:2.3:a:skyarc:mtcms:5.251:*:smart:*:*:*:*:*
Matching versions
Skyarc » Mtcms » Version: 5.25
cpe:2.3:a:skyarc:mtcms:5.25:*:*:*:*:*:*:*
Matching versions
Skyarc » Mtcms » Version: 5.25 Enterprise Edition
cpe:2.3:a:skyarc:mtcms:5.25:*:enterprise:*:*:*:*:*
Matching versions
Skyarc » Mtcms » Version: 5.23
cpe:2.3:a:skyarc:mtcms:5.23:*:*:*:*:*:*:*
Matching versions
Skyarc » Mtcms » Version: 5.22
cpe:2.3:a:skyarc:mtcms:5.22:*:*:*:*:*:*:*
Matching versions
Skyarc » Mtcms » Version: 5.21
cpe:2.3:a:skyarc:mtcms:5.21:*:*:*:*:*:*:*
Matching versions
Skyarc » Mtcms » Version: 5.2
cpe:2.3:a:skyarc:mtcms:5.2:*:*:*:*:*:*:*
Matching versions
Skyarc » Mtcms » Version: 5.25 Smart Edition
cpe:2.3:a:skyarc:mtcms:5.25:*:smart:*:*:*:*:*
Matching versions
Skyarc » Mtcms » Version: 5.24 Enterprise Edition
cpe:2.3:a:skyarc:mtcms:5.24:*:enterprise:*:*:*:*:*
Matching versions
Skyarc » Multifileuploader
Versions up to, including, (<=) 0.44
cpe:2.3:a:skyarc:multifileuploader:*:*:*:*:*:*:*:*
Matching versions
Skyarc » Duplicateentry
Versions up to, including, (<=) 1.2
cpe:2.3:a:skyarc:duplicateentry:*:*:*:*:*:*:*:*
Matching versions
Skyarc » Mailpack
Versions up to, including, (<=) 1.741
cpe:2.3:a:skyarc:mailpack:*:*:*:*:*:*:*:*
Matching versions
Skyarc » Autotagging
Versions up to, including, (<=) 0.08
cpe:2.3:a:skyarc:autotagging:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2011-3994

EPSS FAQ

0.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 53 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2011-3994

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2011-3994

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2011-3994

http://jvn.jp/en/jp/JVN56667137/index.html

JVN#56667137: Multiple SKYARC System Co., Ltd. products vulnerable to cross-site request forgery
http://jvndb.jvn.jp/jvndb/JVNDB-2011-000094

JVNDB-2011-000094 - JVN iPedia - 脆弱性対策情報データベース
http://www.mtcms.jp/news/product/201110131921.html

[重要]MTCMS 5.252のリリースおよびセキュリティアップデートの提供を開始 | お知らせ | MTCMS

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2011-3994

Products affected by CVE-2011-3994

Exploit prediction scoring system (EPSS) score for CVE-2011-3994

CVSS scores for CVE-2011-3994

CWE ids for CVE-2011-3994

References for CVE-2011-3994