Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24055
HistoryJun 14, 2010 - 12:00 a.m.

[MajorSecurity SA-070]Plume CMS - change Admin Password via Cross-site Request Forgery

2010-06-1400:00:00
vulners.com
16
JSON

[MajorSecurity SA-070]Plume CMS - change Admin Password via Cross-site Request Forgery

Details

Product: Plume CMS
Security-Risk: high
Remote-Exploit: yes
Vendor-URL: http://www.plume-cms.net/
Advisory-Status: published

Credits

Discovered by: David Vieira-Kurz
http://www.majorsecurity.info/penetrationstest.php

Affected Products:

Plume CMS 1.2.4
Prior versions may also be vulnerable

Introduction

"Plume CMS is web based content management system."

More Details

We at MajorSecurity have discovered a vulnerability in Plume CMS, which can be exploited
by malicious people to conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP requests without
performing any validity checks to verify the requests. This can be exploited to change the
administrator's password by tricking a logged in administrator into visiting a malicious
web site.

Solution

The web application should implement some validity checks to verify the requests before
performing certain actions via HTTP requests.

Workaround

Do not browse untrusted sites or follow untrusted links while being logged-in to the
application.

MajorSecurity

MajorSecurity is a German penetrationtesting and security research company which focuses
on web application security. We offer professional penetrationstest, security audits,
source code reviews.

JSON