Bugtraq mailing list archives
[SECURITY] CVE-2010-3449: Apache Continuum CSRF vulnerability
From: Brett Porter <brett () apache org>
Date: Fri, 11 Feb 2011 01:21:00 +1100
CVE-2010-3449: Apache Continuum CSRF vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Continuum 1.3.6 Continuum 1.4.0 (Beta) The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected. Description: Administrators are able to change any user's password, but the source of the request is not verified, making the behaviour susceptible to CSRF. Mitigation: Continuum 1.3.6 and earlier users should upgrade to 1.3.7 Continuum 1.4.0 (Beta) users should apply the following patch: http://svn.apache.org/viewvc?view=revision&revision=1066010 Credit: This issue was discovered by Anatolia Security Research Group References: http://continuum.apache.org/security.html -- Brett Porter brett () apache org http://brettporter.wordpress.com/ http://au.linkedin.com/in/brettporter
Current thread:
- [SECURITY] CVE-2010-3449: Apache Continuum CSRF vulnerability Brett Porter (Feb 10)