Cross-site request forgery (CSRF) vulnerability in administrator/index2.php in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to hijack the authentication of administrators for requests that add new administrator accounts via the save task in a com_users action, as demonstrated using a separate XSS vulnerability in mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Brilaps
  • Mostlyce
Mambo-foundation
  • Mambo

Configuration 1 [-]

AND
OR cpe:2.3:a:mambo-foundation:mambo:*:*:*:*:*:*:*:*
cpe:2.3:a:mambo-foundation:mambo:4.6.2:*:*:*:*:*:*:*
cpe:2.3:a:brilaps:mostlyce:*:*:*:*:*:*:*:*

No data.

References
Link Providers
http://archives.neohapsis.com/archives/bugtraq/2008-02/0444.html cve-icon cve-icon
http://forum.mambo-foundation.org/showthread.php?t=10158 cve-icon cve-icon
http://osvdb.org/42531 cve-icon cve-icon
http://secunia.com/advisories/28670 cve-icon cve-icon
http://www.bugreport.ir/index_33.htm cve-icon cve-icon
http://www.securityfocus.com/archive/1/487128/100/200/threaded cve-icon cve-icon
http://www.vupen.com/english/advisories/2008/0325 cve-icon cve-icon
https://exchange.xforce.ibmcloud.com/vulnerabilities/39985 cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-09-11T16:00:00

Updated: 2024-08-07T11:56:14.484Z

Reserved: 2009-09-11T00:00:00

Link: CVE-2008-7214

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2009-09-11T16:30:00.500

Modified: 2018-10-11T20:58:31.913

Link: CVE-2008-7214

cve-icon Redhat

No data.