CVE-2008-6269 - OpenCVE

Joovili 3.1.4 allows remote attackers to bypass authentication and gain privileges as other users, including the administrator, by setting the (1) session_id, session_logged_in, and session_username cookies for user privileges; (2) session_admin_id, session_admin_username, and session_admin cookies for admin privileges; and (3) session_staff_id, session_staff_username, and session_staff cookies for staff users.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Joovili	Joovili

Configuration 1 [-]

cpe:2.3:a:joovili:joovili:3.1.4:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://secunia.com/advisories/32491
http://www.securityfocus.com/bid/32058
http://www.vupen.com/english/advisories/2008/2978
https://exchange.xforce.ibmcloud.com/vulnerabilities/46272
https://www.exploit-db.com/exploits/6955

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-02-25T11:00:00

Updated: 2024-08-07T11:27:34.802Z

Reserved: 2009-02-24T00:00:00

Link: CVE-2008-6269

Vulnrichment

No data.

NVD

Status : Modified

Published: 2009-02-25T11:30:00.420

Modified: 2017-09-29T01:33:03.840

Link: CVE-2008-6269

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-11-02T00:00:00", "descriptions": [{"lang": "en", "value": "Joovili 3.1.4 allows remote attackers to bypass authentication and gain privileges as other users, including the administrator, by setting the (1) session_id, session_logged_in, and session_username cookies for user privileges; (2) session_admin_id, session_admin_username, and session_admin cookies for admin privileges; and (3) session_staff_id, session_staff_username, and session_staff cookies for staff users."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "joovili-multiple-cookie-security-bypass(46272)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46272"}, {"name": "32491", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/32491"}, {"name": "6955", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/6955"}, {"name": "32058", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/32058"}, {"name": "ADV-2008-2978", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/2978"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-6269", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Joovili 3.1.4 allows remote attackers to bypass authentication and gain privileges as other users, including the administrator, by setting the (1) session_id, session_logged_in, and session_username cookies for user privileges; (2) session_admin_id, session_admin_username, and session_admin cookies for admin privileges; and (3) session_staff_id, session_staff_username, and session_staff cookies for staff users."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "joovili-multiple-cookie-security-bypass(46272)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46272"}, {"name": "32491", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/32491"}, {"name": "6955", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/6955"}, {"name": "32058", "refsource": "BID", "url": "http://www.securityfocus.com/bid/32058"}, {"name": "ADV-2008-2978", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/2978"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T11:27:34.802Z"}, "title": "CVE Program Container", "references": [{"name": "joovili-multiple-cookie-security-bypass(46272)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46272"}, {"name": "32491", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/32491"}, {"name": "6955", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/6955"}, {"name": "32058", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/32058"}, {"name": "ADV-2008-2978", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/2978"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-6269", "datePublished": "2009-02-25T11:00:00", "dateReserved": "2009-02-24T00:00:00", "dateUpdated": "2024-08-07T11:27:34.802Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:joovili:joovili:3.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "7F52999D-DBD9-41F5-9B49-3BAFF6FBE90E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Joovili 3.1.4 allows remote attackers to bypass authentication and gain privileges as other users, including the administrator, by setting the (1) session_id, session_logged_in, and session_username cookies for user privileges; (2) session_admin_id, session_admin_username, and session_admin cookies for admin privileges; and (3) session_staff_id, session_staff_username, and session_staff cookies for staff users."}, {"lang": "es", "value": "Joovili v3.1.4 permite a atacantes remotos evitar la autenticaci\u00f3n y obtener privilegios como otros usuarios, incluyendo el usuario aedministrador, modificando las cookies (1) session_id, session_logged_in, y session_username con privilegios de usuario; las cookies (2) session_admin_id, session_admin_username, and session_admin con privilegios de administraci\u00f3n (3) y las cookies session_staff_id, session_staff_username, and session_staff como usuarios del staff."}], "id": "CVE-2008-6269", "lastModified": "2017-09-29T01:33:03.840", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-02-25T11:30:00.420", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/32491"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/32058"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2008/2978"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46272"}, {"source": "cve@mitre.org", "url": "https://www.exploit-db.com/exploits/6955"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}