CVE-2014-3896 - OpenCVE

Multiple cross-site request forgery (CSRF) vulnerabilities in CGI programs in Seeds acmailer before 3.8.17 and 3.9.x before 3.9.10 Beta allow remote attackers to hijack the authentication of arbitrary users for requests that modify or delete data, as demonstrated by modifying data affecting authorization.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Seeds	Acmailer

Configuration 1 [-]

OR	cpe:2.3:a:seeds:acmailer::::::::
	cpe:2.3:a:seeds:acmailer::::::::

No data.

References

Link	Providers
http://jvn.jp/en/jp/JVN42511610/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000089
http://www.acmailer.jp/info/de.cgi?id=52

History

No history.

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2014-07-29T20:00:00

Updated: 2024-08-06T10:57:17.934Z

Reserved: 2014-05-27T00:00:00

Link: CVE-2014-3896

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2014-07-29T20:55:08.647

Modified: 2018-12-18T14:31:14.697

Link: CVE-2014-3896

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-07-29T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in CGI programs in Seeds acmailer before 3.8.17 and 3.9.x before 3.9.10 Beta allow remote attackers to hijack the authentication of arbitrary users for requests that modify or delete data, as demonstrated by modifying data affecting authorization."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-07-29T19:57:00", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://www.acmailer.jp/info/de.cgi?id=52"}, {"name": "JVNDB-2014-000089", "tags": ["third-party-advisory", "x_refsource_JVNDB"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000089"}, {"name": "JVN#42511610", "tags": ["third-party-advisory", "x_refsource_JVN"], "url": "http://jvn.jp/en/jp/JVN42511610/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2014-3896", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in CGI programs in Seeds acmailer before 3.8.17 and 3.9.x before 3.9.10 Beta allow remote attackers to hijack the authentication of arbitrary users for requests that modify or delete data, as demonstrated by modifying data affecting authorization."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.acmailer.jp/info/de.cgi?id=52", "refsource": "CONFIRM", "url": "http://www.acmailer.jp/info/de.cgi?id=52"}, {"name": "JVNDB-2014-000089", "refsource": "JVNDB", "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000089"}, {"name": "JVN#42511610", "refsource": "JVN", "url": "http://jvn.jp/en/jp/JVN42511610/index.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:57:17.934Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.acmailer.jp/info/de.cgi?id=52"}, {"name": "JVNDB-2014-000089", "tags": ["third-party-advisory", "x_refsource_JVNDB", "x_transferred"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000089"}, {"name": "JVN#42511610", "tags": ["third-party-advisory", "x_refsource_JVN", "x_transferred"], "url": "http://jvn.jp/en/jp/JVN42511610/index.html"}]}]}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2014-3896", "datePublished": "2014-07-29T20:00:00", "dateReserved": "2014-05-27T00:00:00", "dateUpdated": "2024-08-06T10:57:17.934Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:seeds:acmailer:*:*:*:*:*:*:*:*", "matchCriteriaId": "3FED3888-9F34-40D7-94E3-1B8AF7028C01", "versionEndExcluding": "3.8.17", "versionStartIncluding": "3.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:seeds:acmailer:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D436EBA-83AC-4077-8398-197D5266DC03", "versionEndExcluding": "3.9.10", "versionStartIncluding": "3.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in CGI programs in Seeds acmailer before 3.8.17 and 3.9.x before 3.9.10 Beta allow remote attackers to hijack the authentication of arbitrary users for requests that modify or delete data, as demonstrated by modifying data affecting authorization."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de CSRF en CGI programs en Seeds acmailer anterior a 3.8.17 y 3.9.x anterior a 3.9.10 Beta permiten a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios arbitrarios para solicitudes que modifican o eliminan datos, tal y como fue demostrado mediante la modificaci\u00f3n de datos que afectan la autorizaci\u00f3n."}], "id": "CVE-2014-3896", "lastModified": "2018-12-18T14:31:14.697", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-07-29T20:55:08.647", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://jvn.jp/en/jp/JVN42511610/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000089"}, {"source": "vultures@jpcert.or.jp", "tags": ["Exploit", "Vendor Advisory"], "url": "http://www.acmailer.jp/info/de.cgi?id=52"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}