CVE-2017-6807 — Cross-site Scripting in MOD Auth Mellon

CWE-79 — Cross-site Scripting10 documents8 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 41.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Uninett MOD Auth Mellon

Timeline

PublishedMar 13

Latest updateMay 17

Description

mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDuninett/mod_auth_mellon0.13.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-25ph-rcq4-c44c: mod_auth_mellon before 0↗2022-05-17

▶

OSV

libapache2-mod-auth-mellon vulnerabilities↗2020-10-22

▶

OSV

CVE-2017-6807: mod_auth_mellon before 0↗2017-03-13

▶

CVEList

CVE-2017-6807: mod_auth_mellon before 0↗2017-03-13

▶

📋Vendor Advisories

Ubuntu

mod_auth_mellon vulnerabilities↗2020-10-22

▶

Red Hat

mod_auth_mellon: Cross-site session transfer vulnerability↗2017-03-13

▶

Debian

CVE-2017-6807: libapache2-mod-auth-mellon - mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer att...↗2017

▶

💬Community

Bugzilla

CVE-2017-6807 mod_auth_mellon: Cross-site session transfer vulnerability↗2017-03-13

▶

Bugzilla

CVE-2017-6807 mod_auth_mellon: various flaws [fedora-all]↗2017-02-24

▶