CVE-2017-6086
published 2017-06-27CVE-2017-6086: Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the…
PriorityP352high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
2.00%
78.2th percentile
Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to (1) add an administrator user via a crafted POST request to /application/controllers/DomainController.php, (2) remove an administrator user via a crafted GET request to /application/controllers/DomainController.php, (3) change an administrator password via a crafted POST request to /application/controllers/DomainController.php, (4) add a mailbox via a crafted POST request to /application/controllers/MailboxController.php, (5) delete a mailbox via a crafted POST request to /application/controllers/MailboxController.php, (6) archive a mailbox address via a crafted GET request to /application/controllers/ArchiveController.php, (7) add an alias address via a crafted POST request to /application/controllers/AliasController.php, or (8) remove an alias address via a crafted GET request to /application/controllers/AliasController.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opensolutions | vimbadmin | 0 – 3.0.15 | — |
| vimbadmin | vimbadmin | — | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ViMbAdmin CSRF Vulnerabilities
osv·2022-05-17
CVE-2017-6086 [HIGH] ViMbAdmin CSRF Vulnerabilities
ViMbAdmin CSRF Vulnerabilities
Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to
1. add an administrator user via a crafted POST request to `/application/controllers/DomainController.php`,
2. remove an administrator user via a crafted GET request to `/application/controllers/DomainController.php`,
3. change an administrator password via a crafted POST request to `/application/controllers/DomainController.php`,
4. add a mailbox via a crafted POST request to `/application/controllers/MailboxController.php`,
5. delete a mailbox via a crafted POST request to `/application/controllers/MailboxController.php`,
6. archive a mailbox address via a c
GHSA
ViMbAdmin CSRF Vulnerabilities
ghsa·2022-05-17
CVE-2017-6086 [HIGH] CWE-352 ViMbAdmin CSRF Vulnerabilities
ViMbAdmin CSRF Vulnerabilities
Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to
1. add an administrator user via a crafted POST request to `/application/controllers/DomainController.php`,
2. remove an administrator user via a crafted GET request to `/application/controllers/DomainController.php`,
3. change an administrator password via a crafted POST request to `/application/controllers/DomainController.php`,
4. add a mailbox via a crafted POST request to `/application/controllers/MailboxController.php`,
5. delete a mailbox via a crafted POST request to `/application/controllers/MailboxController.php`,
6. archive a mailbox address via a c
No detection rules found.
No writeups or analysis indexed.
2017-06-27
Published