Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25647
HistoryFeb 11, 2011 - 12:00 a.m.

[SECURITY] CVE-2010-3449: Apache Continuum CSRF vulnerability

2011-02-1100:00:00
vulners.com
23

CVE-2010-3449: Apache Continuum CSRF vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Continuum 1.3.6
Continuum 1.4.0 (Beta)
The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected.

Description:
Administrators are able to change any user's password, but the
source of the request is not verified, making the behaviour
susceptible to CSRF.

Mitigation:
Continuum 1.3.6 and earlier users should upgrade to 1.3.7

Continuum 1.4.0 (Beta) users should apply the following patch:
http://svn.apache.org/viewvc?view=revision&revision=1066010

Credit:
This issue was discovered by Anatolia Security Research Group

References:
http://continuum.apache.org/security.html


Brett Porter
[email protected]
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter

Related for SECURITYVULNS:DOC:25647