| Summary: | <=www-apps/twiki-4.3.2: Multiple vulnerabilites (CVE-2009-4898) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Samuel Tardieu <sam> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | web-apps |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://twiki.org/cgi-bin/view/Codev/SecurityAuditTokenBasedCsrfFix | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
CVE-2009-4898 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4898): Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.2 allows remote attackers to hijack the authentication of arbitrary users for requests that update pages, as demonstrated by a URL for a save script in the ACTION attribute of a FORM element, in conjunction with a call to the submit method in the onload attribute of a BODY element. NOTE: this issue exists because of an insufficient fix for CVE-2009-1339. package has been removed from tree (In reply to comment #2) > package has been removed from tree Thanks. Closing noglsa since twiki was only ever ~arch. |
The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level: * Severity 3 issue: TWiki content or browser is compromised. Reproducible: Always Steps to Reproduce: This is fixed in TWiki 4.3.2.