ID CVE-2007-1638
Summary Multiple cross-site request forgery (CSRF) vulnerabilities in the check_csrftoken function in lib/lib.inc.php in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote attackers to perform unauthorized actions as an arbitrary user via the (1) Projects, (2) Contacts, (3) Helpdesk, (4) Notes, (5) Search, (6) Mail, or (7) Filemanager module; the (9) summary page; or unspecified other files. Successful exploitation requires that variable "magic_quotes_gpc" is disabled. Upgrade to version 5.2.1,
References
Vulnerable Configurations
  • cpe:2.3:a:phpprojekt:phpprojekt:5.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpprojekt:phpprojekt:5.2.0:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 16-10-2018 - 16:39)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
refmap via4
bugtraq 20070314 n.runs-SA-2007.005 - PHProjekt 5.2.0 - Cross Site Request Forgery
confirm http://www.phprojekt.com/index.php?name=News&file=article&sid=276
gentoo GLSA-200706-07
misc http://www.nruns.de/security_advisory_phprojekt_csrf.php
osvdb 35162
secunia
  • 24509
  • 25748
sreason 2477
xf phprojekt-multiple-modules-csrf(32989)
Last major update 16-10-2018 - 16:39
Published 23-03-2007 - 23:19
Last modified 16-10-2018 - 16:39
Back to Top