oss-security - CVE Request: userCake <= 2.0.2 CSRF vulnerability

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <20140525145608.00005303@openflare.org>
Date: Sun, 25 May 2014 14:56:08 +0300
From: Dolev Farhi <dolev@...nflare.org>
To: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: CVE Request: userCake <= 2.0.2 CSRF vulnerability

hi,

I would like to request a CVE for the following issue:

Date: 21.5.2014

Title: Cross-Site Request Forgery vulnerability in userCake

Vendor: userCake.com - notified & confirmed

homepage https://usercake.com

Brief:

A cross-site request forgery issue was found in the latest
version of userCake 2.0.2, which most probably affects versions prior to
the latest as well. 
userCake is an open source user management system.


The vulnerability allows resetting a logged on admin account password
via the passwordc and passwordcheck parameters in user_settings.php



Full advisory and proof of concept can be found in this link:
http://research.openflare.org/advisories/OF-2014-11/usercake_csrf.txt


Can a CVE please be assigned? 


Tx

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.