CVE-2017-16244

{"id": "CVE-2017-16244", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2017-11-01T01:29:00.980", "references": [{"url": "https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/43106/", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a certain _handler postback variable."}, {"lang": "es", "value": "Existe Cross-Site Request Forgery (CSRF) en OctoberCMS 1.0.426 (tambi\u00e9n conocido como Build 426) debido a la validaci\u00f3n incorrecta de tokens CSRF para la gesti\u00f3n de postback, lo que permite que un atacante consiga controlar la cuenta de la v\u00edctima. El ataque omite un mecanismo de protecci\u00f3n que implica cabeceras X-CSRF y tokens CSRF mediante una determinada variable de postback _handler."}], "lastModified": "2020-08-03T12:15:48.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octobercms:october:1.0.426:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07538645-52CC-4A5F-BF22-4B653C34DC6E"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}