Summary: | <=www-apps/twiki-4.3.2: Multiple vulnerabilites (CVE-2009-4898) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Samuel Tardieu <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://twiki.org/cgi-bin/view/Codev/SecurityAuditTokenBasedCsrfFix | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Samuel Tardieu
2009-09-09 21:11:52 UTC
CVE-2009-4898 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4898): Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.2 allows remote attackers to hijack the authentication of arbitrary users for requests that update pages, as demonstrated by a URL for a save script in the ACTION attribute of a FORM element, in conjunction with a call to the submit method in the onload attribute of a BODY element. NOTE: this issue exists because of an insufficient fix for CVE-2009-1339. package has been removed from tree (In reply to comment #2) > package has been removed from tree Thanks. Closing noglsa since twiki was only ever ~arch. |