CVE-2008-7214: CSRF
First published: Fri Sep 11 2009(Updated: )
Cross-site request forgery (CSRF) vulnerability in administrator/index2.php in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to hijack the authentication of administrators for requests that add new administrator accounts via the save task in a com_users action, as demonstrated using a separate XSS vulnerability in mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mambo | <=4.6.3 | |
| Mambo | =4.6.2 | |
| brilaps mostlyce | <=2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archives.neohapsis.com/archives/bugtraq/2008-02/0444.html
- http://www.vupen.com/english/advisories/2008/0325
- http://forum.mambo-foundation.org/showthread.php?t=10158
- http://secunia.com/advisories/28670
- http://www.bugreport.ir/index_33.htm
- http://osvdb.org/42531
- https://exchange.xforce.ibmcloud.com/vulnerabilities/39985
- http://www.securityfocus.com/archive/1/487128/100/200/threaded
Frequently Asked Questions
What is the severity of CVE-2008-7214?
CVE-2008-7214 has a medium severity rating due to its potential to allow unauthorized administrative access.
How do I fix CVE-2008-7214?
To fix CVE-2008-7214, update to Mambo version 4.6.4 or later, or ensure that your version of MOStlyCE is updated beyond 2.0.
Which software is affected by CVE-2008-7214?
CVE-2008-7214 affects Mambo versions up to 4.6.3 and MOStlyCE versions up to 2.0.
What type of attack does CVE-2008-7214 facilitate?
CVE-2008-7214 facilitates cross-site request forgery (CSRF) attacks that allow attackers to hijack administrator sessions.
Can I mitigate the risks of CVE-2008-7214 without upgrading?
Mitigating CVE-2008-7214 without upgrading is challenging, but implementing web application firewalls may help reduce risk until an upgrade can be performed.
- collector/nvd-historical
- agent/references
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/mambo-foundation
- canonical/mambo
- version/mambo/4.6.3
- version/mambo/4.6.2
- vendor/brilaps
- canonical/brilaps mostlyce
- version/brilaps mostlyce/2.0