Lucene search

MitreCVE-2015-6973

HistorySep 16, 2015 - 7:59 p.m.

CVE-2015-6973

2015-09-1619:59:01

CWE-352

mitre

web.nvd.nist.gov

cve-2015-6973

ignite realtime openfire

csrf

cross-site request forgery

security vulnerability

nvd

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

7.2

Confidence

Low

EPSS

0.945

Percentile

99.2%

JSON

Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontrol/permitted-clients.jsp.

Affected configurations

Nvd

Node

igniterealtimeopenfireMatch3.10.2

VendorProductVersionCPE
igniterealtimeopenfire3.10.2cpe:2.3:a:igniterealtime:openfire:3.10.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
igniterealtime	openfire	3.10.2	cpe:2.3:a:igniterealtime:openfire:3.10.2:::::::*

References

hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt

packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html

www.securityfocus.com/archive/1/536470/100/0/threaded

security.gentoo.org/glsa/201612-50

www.exploit-db.com/exploits/38192/

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

7.2

Confidence

Low

EPSS

0.945

Percentile

99.2%

JSON

Related for CVE-2015-6973