cbcvebase.
CVE-2017-6086
published 2017-06-27

CVE-2017-6086: Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the…

PriorityP352high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
2.00%
78.2th percentile
Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to (1) add an administrator user via a crafted POST request to /application/controllers/DomainController.php, (2) remove an administrator user via a crafted GET request to /application/controllers/DomainController.php, (3) change an administrator password via a crafted POST request to /application/controllers/DomainController.php, (4) add a mailbox via a crafted POST request to /application/controllers/MailboxController.php, (5) delete a mailbox via a crafted POST request to /application/controllers/MailboxController.php, (6) archive a mailbox address via a crafted GET request to /application/controllers/ArchiveController.php, (7) add an alias address via a crafted POST request to /application/controllers/AliasController.php, or (8) remove an alias address via a crafted GET request to /application/controllers/AliasController.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
opensolutionsvimbadmin0 – 3.0.15
vimbadminvimbadmin

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.