CVE-2011-2191
published 2011-10-07CVE-2011-2191: Cross-site request forgery (CSRF) vulnerability in Cherokee-admin in Cherokee before 1.2.99 allows remote attackers to hijack the authentication of…
PriorityP424medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
1.40%
69.0th percentile
Cross-site request forgery (CSRF) vulnerability in Cherokee-admin in Cherokee before 1.2.99 allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences, as demonstrated by a crafted nickname field to vserver/apply.
Affected
137 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cherokee-project | cherokee | <= 1.2.98 | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
| cherokee-project | cherokee | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2011-2190 CVE-2011-2191 cherokee: multiple vulnerabilities [epel-all]
bugzilla·2011-06-14·CVSS 2.1
CVE-2011-2190 [LOW] CVE-2011-2190 CVE-2011-2191 cherokee: multiple vulnerabilities [epel-all]
CVE-2011-2190 CVE-2011-2191 cherokee: multiple vulnerabilities [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=713304
Please note: this issue affects multiple
Bugzilla
CVE-2011-2190 CVE-2011-2191 cherokee: multiple vulnerabilities [fedora-all]
bugzilla·2011-06-14·CVSS 2.1
CVE-2011-2190 [LOW] CVE-2011-2190 CVE-2011-2191 cherokee: multiple vulnerabilities [fedora-all]
CVE-2011-2190 CVE-2011-2191 cherokee: multiple vulnerabilities [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=713304
Please note: this issue affects multipl
Bugzilla
CVE-2011-2191 cherokee: CSRF and XSS vulnerabilities
bugzilla·2011-06-14·CVSS 2.1
CVE-2011-2191 [LOW] CVE-2011-2191 cherokee: CSRF and XSS vulnerabilities
CVE-2011-2191 cherokee: CSRF and XSS vulnerabilities
Two flaws were reported in Cherokee.
The first (CVE-2011-2191) is that the Cherokee server admin configuration web interface is vulnerable to CSRF. If an admin is logged into the Cherokee admin interface and visits a site which runs a malicious script, Cherokee can be reconfigured to execute arbitrary commands [1]. It is also vulnerable to use the CSRF to produce a persistant XSS [2].
The second (CVE-2011-2090) is that Cherokee seeds srand with a combination of the time and the PID of the admin process, after which rand() is called to generate a random password -- this is unsafe and allows for fairly easy local password guessing by a local user [3].
[1] http://seclists.org/fulldisclosure/2011/Jun/0
[2] http://www.openwall.com/lists/o
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/066222.htmlhttp://osvdb.org/72693http://seclists.org/fulldisclosure/2011/Jun/0http://www.cherokee-project.com/download/LATEST_is_1.2.99/cherokee-1.2.99.tar.gzhttp://www.openwall.com/lists/oss-security/2011/06/02/2http://www.openwall.com/lists/oss-security/2011/06/03/6http://www.openwall.com/lists/oss-security/2011/06/06/22http://www.securityfocus.com/bid/49772https://bugzilla.redhat.com/show_bug.cgi?id=713304https://launchpad.net/bugs/784632http://lists.fedoraproject.org/pipermail/package-announce/2011-September/066222.htmlhttp://osvdb.org/72693http://seclists.org/fulldisclosure/2011/Jun/0http://www.cherokee-project.com/download/LATEST_is_1.2.99/cherokee-1.2.99.tar.gzhttp://www.openwall.com/lists/oss-security/2011/06/02/2http://www.openwall.com/lists/oss-security/2011/06/03/6http://www.openwall.com/lists/oss-security/2011/06/06/22http://www.securityfocus.com/bid/49772https://bugzilla.redhat.com/show_bug.cgi?id=713304https://launchpad.net/bugs/784632
2011-10-07
Published