CVE-2010-4408

CWE-79Cross-site Scripting (XSS)CWE-862Missing Authorization4 documents4 sources
Severity
6.8MEDIUM
EPSS
1.4%
top 19.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Archiva
Timeline
PublishedDec 6
Latest updateMay 14

Description

Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1 does not require entry of the administrator's password at the time of modifying a user account, which makes it easier for context-dependent attackers to gain privileges by leveraging a (1) unattended workstation or (2) cross-site request forgery (CSRF) vulnerability, a related issue to CVE-2010-3449.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

Mavenorg.apache.archiva:archiva1.01.3.2
NVDapache/archiva14 versions+13

🔴Vulnerability Details

3
OSV
Apache Archiva does not require entry of the administrator's password at the time of modifying a user account2022-05-14
GHSA
Apache Archiva does not require entry of the administrator's password at the time of modifying a user account2022-05-14
CVEList
CVE-2010-4408: Apache Archiva 12010-12-06
CVE-2010-4408 (MEDIUM CVSS 6.8) | Apache Archiva 1.0 through 1.0.3 | cvebase.io