GHSA-rrmf-fpmm-jpwr

Suggest an improvement
Source
https://github.com/advisories/GHSA-rrmf-fpmm-jpwr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rrmf-fpmm-jpwr/GHSA-rrmf-fpmm-jpwr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rrmf-fpmm-jpwr
Aliases
Published
2022-05-17T02:12:38Z
Modified
2024-04-25T23:11:46.018033Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ViMbAdmin CSRF Vulnerabilities
Details

Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to 1. add an administrator user via a crafted POST request to <vimbadmin directory>/application/controllers/DomainController.php, 2. remove an administrator user via a crafted GET request to <vimbadmin directory>/application/controllers/DomainController.php, 3. change an administrator password via a crafted POST request to <vimbadmin directory>/application/controllers/DomainController.php, 4. add a mailbox via a crafted POST request to <vimbadmin directory>/application/controllers/MailboxController.php, 5. delete a mailbox via a crafted POST request to <vimbadmin directory>/application/controllers/MailboxController.php, 6. archive a mailbox address via a crafted GET request to <vimbadmin directory>/application/controllers/ArchiveController.php, 7. add an alias address via a crafted POST request to <vimbadmin directory>/application/controllers/AliasController.php, or 8. remove an alias address via a crafted GET request to <vimbadmin directory>/application/controllers/AliasController.php.

References

Affected packages

Packagist / opensolutions/vimbadmin

Package

Name
opensolutions/vimbadmin
Purl
pkg:composer/opensolutions/vimbadmin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
3.0.15

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15