Vulnerability Details : CVE-2014-9101
Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall 1.7.0 (build 7907 and 7906) and SkaDate Lite 2.0 (build 7651) allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks or possibly have other unspecified impact via the (1) label parameter to admin/users/roles/, (2) lang[1][base][questions_account_type_5615100a931845eca8da20cfdf7327e0] in an AddAccountType action or (3) qst_name parameter in an addQuestion action to admin/questions/ajax-responder/, or (4) form_name or (5) restrictedUsername parameter to admin/restricted-usernames.
Vulnerability category: Cross site scripting (XSS)Cross-site request forgery (CSRF)
Products affected by CVE-2014-9101
- cpe:2.3:a:oxwall:oxwall:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:skalfa:skadate_lite:2.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-9101
1.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-9101
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2014-9101
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-9101
-
http://packetstormsecurity.com/files/127652/Oxwall-1.7.0-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
Oxwall 1.7.0 Cross Site Request Forgery / Cross Site Scripting ≈ Packet StormExploit
-
http://packetstormsecurity.com/files/127690/SkaDate-Lite-2.0-CSRF-Cross-Site-Scripting.html
SkaDate Lite 2.0 CSRF / Cross Site Scripting ≈ Packet StormExploit
-
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5195.php
Zero Science Lab » Oxwall 1.7.0 Multiple CSRF And HTML Injection Vulnerabilities
-
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5197.php
Zero Science Lab » SkaDate Lite 2.0 Multiple XSRF And Persistent XSS VulnerabilitiesExploit
-
http://www.exploit-db.com/exploits/34190
Oxwall 1.7.0 - Multiple Cross-Site Request Forgery / HTML Injection Vulnerabilities - PHP webapps ExploitExploit
-
http://www.securityfocus.com/bid/68971
SkaDate Lite Multiple Cross Site Request Forgery and HTML Injection Vulnerabilities
Jump to