CVE-2011-1482

Current Description

Multiple cross-site request forgery (CSRF) vulnerabilities in mainfile.php in Francisco Burzi PHP-Nuke 8.0 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add user accounts or (2) grant the administrative privilege to a user account, related to a Referer check that uses a substring comparison.

Basic Data

PublishedJune 21, 2011
Last ModifiedAugust 13, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-352
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score6.8
SeverityMEDIUM
Exploitability Score8.6
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationPhpnukePhp-nuke5.0*******
    2.3ApplicationPhpnukePhp-nuke5.0.1*******
    2.3ApplicationPhpnukePhp-nuke5.1*******
    2.3ApplicationPhpnukePhp-nuke5.2*******
    2.3ApplicationPhpnukePhp-nuke5.3*******
    2.3ApplicationPhpnukePhp-nuke5.3.1*******
    2.3ApplicationPhpnukePhp-nuke5.4*******
    2.3ApplicationPhpnukePhp-nuke5.5*******
    2.3ApplicationPhpnukePhp-nuke5.6*******
    2.3ApplicationPhpnukePhp-nuke6.0*******
    2.3ApplicationPhpnukePhp-nuke6.5*******
    2.3ApplicationPhpnukePhp-nuke6.6*******
    2.3ApplicationPhpnukePhp-nuke6.7*******
    2.3ApplicationPhpnukePhp-nuke6.8*******
    2.3ApplicationPhpnukePhp-nuke6.9*******
    2.3ApplicationPhpnukePhp-nuke7.0*******
    2.3ApplicationPhpnukePhp-nuke7.1*******
    2.3ApplicationPhpnukePhp-nuke7.2*******
    2.3ApplicationPhpnukePhp-nuke7.3*******
    2.3ApplicationPhpnukePhp-nuke7.4*******
    2.3ApplicationPhpnukePhp-nuke7.5*******
    2.3ApplicationPhpnukePhp-nuke7.6*******
    2.3ApplicationPhpnukePhp-nuke7.7*******
    2.3ApplicationPhpnukePhp-nuke7.8*******
    2.3ApplicationPhpnukePhp-nuke7.9*******
    2.3ApplicationPhpnukePhp-nuke********8.0

Vulnerable Software List

VendorProductVersions
Phpnuke Php-nuke *, 5.0, 5.0.1, 5.1, 5.2, 5.3, 5.3.1, 5.4, 5.5, 5.6, 6.0, 6.5, 6.6, 6.7, 6.8, 6.9, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9

References

NameSourceURLTags
[oss-security] 20110323 CVE Request: PHP-Nuke 8.x <= Cross Site Request Forgery (CSRF) / Anti-CSRF Bypass Vulnerabilityhttp://www.openwall.com/lists/oss-security/2011/03/23/9MLISTExploit
[oss-security] 20110330 Re: CVE Request: PHP-Nuke 8.x <= Cross Site Request Forgery (CSRF) / Anti-CSRF Bypass Vulnerabilityhttp://www.openwall.com/lists/oss-security/2011/03/30/8MLISTExploit
http://yehg.net/lab/pr0js/advisories/[phpnuke-8.x]_cross_site_request_forgeryhttp://yehg.net/lab/pr0js/advisories/[phpnuke-8.x]_cross_site_request_forgeryMISCBroken Link