CVE-2011-5239 — Improper Input Validation in Civicrm

CWE-20 — Improper Input Validation3 documents3 sources

Severity

5.8MEDIUMNVD

EPSS

0.2%

top 59.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Civicrm Debian Civicrm

Timeline

PublishedNov 6

Latest updateMay 17

Description

CiviCRM 4.0.5 and 4.1.1 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

▶debiandebian/civicrm

▶NVDcivicrm/civicrm4.0.5, 4.1.1+1

🔴Vulnerability Details

GHSA

GHSA-33p2-5mfj-r94r: CiviCRM 4↗2022-05-17

▶

📋Vendor Advisories

Debian

CVE-2011-5239: civicrm - CiviCRM 4.0.5 and 4.1.1 does not verify that the server hostname matches a domai...↗2011

▶