nvd-json-data-feeds/CVE-2015/CVE-2015-15xx/CVE-2015-1559.json

{
  "id": "CVE-2015-1559",
  "sourceIdentifier": "cve@mitre.org",
  "published": "2015-02-10T17:59:02.183",
  "lastModified": "2017-09-08T01:29:49.873",
  "vulnStatus": "Modified",
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in administrator.php in Epignosis eFront Open Source Edition before 3.6.15.3 build 18022 allow remote attackers to hijack the authentication of administrators for requests that (1) delete modules via the delete_module parameter, (2) deactivate modules via the deactivate_module parameter, (3) activate modules via the activate_module parameter, (4) delete users via the delete_user parameter, (5) deactivate users via the deactivate_user parameter, (6) activate users via the activate_user parameter, (7) activate themes via the set_theme parameter, (8) deactivate themes via the set_theme parameter, (9) delete themes via the delete parameter, (10) deactivate events (user registration or email activation) via the deactivate_notification parameter, (11) activate events via the activate_notification parameter, (12) delete events via the delete_notification parameter, (13) deactivate language settings via the deactivate_language parameter, (14) activate language settings via the activate_language parameter, (15) delete language settings via the delete_language parameter, or (16) activate or deactivate the autologin feature for a user via a crafted maintenance request."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de CSRF en administrator.php en Epignosis eFront Open Source Edition en versiones anteriores a 3.6.15.3 build 18022 permiten a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para las peticiones que (1) eliminan m\u00f3dulos a trav\u00e9s del par\u00e1metro delete_module, (2) desactivan m\u00f3dulos a trav\u00e9s del par\u00e1metro deactivate_module, (3) activan m\u00f3dulos a trav\u00e9s del par\u00e1metro activate_module, (4) eliminan usuarios a trav\u00e9s del par\u00e1metro delete_user, (5) desactivar usuarios a trav\u00e9s del par\u00e1metro deactivate_user, (6) activar usuarios a trav\u00e9s del par\u00e1metro activate_user, (7) activar temas a trav\u00e9s del par\u00e1metro set_theme, (8) desactivar temas a trav\u00e9s del par\u00e1metro set_theme, (9) eliminar temas a trav\u00e9s del par\u00e1metro delete, (10) desactivar eventos (registro de usuario o activaci\u00f3n de correo electr\u00f3nico) a trav\u00e9s del par\u00e1metro deactivate_notification, (11) activar eventos a trav\u00e9s del par\u00e1metro activate_notification, (12) borrar eventos a trav\u00e9s del par\u00e1metro delete_notification, (13) desactivar la configuraci\u00f3n de idioma a trav\u00e9s del par\u00e1metro deactivate_language, (14) activar la configuraci\u00f3n de idioma mediante el par\u00e1metro activate_language, (15) borrar la configuraci\u00f3n de idioma a trav\u00e9s del par\u00e1metro delete_language o (16) activar o desactivar la funci\u00f3n de inicio de sesi\u00f3n autom\u00e1tico para un usuario a trav\u00e9s de una solicitud de mantenimiento manipulada."
    }
  ],
  "metrics": {
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:epignosis:efront:*:*:*:*:open_source:*:*:*",
              "versionEndIncluding": "3.6.15.2",
              "matchCriteriaId": "CC21ED9E-FA59-4B42-A55E-1EB1F0B28677"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "http://seclists.org/fulldisclosure/2015/Feb/30",
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ]
    },
    {
      "url": "http://seclists.org/oss-sec/2015/q1/468",
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ]
    },
    {
      "url": "http://seclists.org/oss-sec/2015/q1/475",
      "source": "cve@mitre.org"
    },
    {
      "url": "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-09.html",
      "source": "cve@mitre.org",
      "tags": [
        "Exploit"
      ]
    },
    {
      "url": "http://www.efrontlearning.net/download",
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "http://www.securityfocus.com/bid/72533",
      "source": "cve@mitre.org"
    },
    {
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100735",
      "source": "cve@mitre.org"
    }
  ]
}