CVE-2017-16244 - Vulnerability Details - OpenCVE

Description

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a certain _handler postback variable.

Published: 2017-11-01

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:octobercms:october:1.0.426:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-5379	Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a certain _handler postback variable.
Github GHSA	GHSA-vm6r-4p4v-232x	October CMS CSRF

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00403.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0
https://www.exploit-db.com/exploits/43106/

History

No history.

Subscriptions

Octobercms October

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-11-01T01:00:00.000Z

Updated: 2024-08-05T20:20:05.225Z

Reserved: 2017-10-31T00:00:00.000Z

Link: CVE-2017-16244

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-11-01T01:29:00.980

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-16244

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-352

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-10-31T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a certain _handler postback variable."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-03T09:57:01.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0"}, {"name": "43106", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/43106/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-16244", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a certain _handler postback variable."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0", "refsource": "CONFIRM", "url": "https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0"}, {"name": "43106", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/43106/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:20:05.225Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0"}, {"name": "43106", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/43106/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-16244", "datePublished": "2017-11-01T01:00:00.000Z", "dateReserved": "2017-10-31T00:00:00.000Z", "dateUpdated": "2024-08-05T20:20:05.225Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:octobercms:october:1.0.426:*:*:*:*:*:*:*", "matchCriteriaId": "07538645-52CC-4A5F-BF22-4B653C34DC6E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a certain _handler postback variable."}, {"lang": "es", "value": "Existe Cross-Site Request Forgery (CSRF) en OctoberCMS 1.0.426 (tambi\u00e9n conocido como Build 426) debido a la validaci\u00f3n incorrecta de tokens CSRF para la gesti\u00f3n de postback, lo que permite que un atacante consiga controlar la cuenta de la v\u00edctima. El ataque omite un mecanismo de protecci\u00f3n que implica cabeceras X-CSRF y tokens CSRF mediante una determinada variable de postback _handler."}], "id": "CVE-2017-16244", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-01T01:29:00.980", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/43106/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/43106/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}