CVE-2009-4898 (GCVE-0-2009-4898)
Vulnerability from cvelistv5
Published
2010-09-07 16:30
Modified
2024-09-16 18:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.2 allows remote attackers to hijack the authentication of arbitrary users for requests that update pages, as demonstrated by a URL for a save script in the ACTION attribute of a FORM element, in conjunction with a call to the submit method in the onload attribute of a BODY element. NOTE: this issue exists because of an insufficient fix for CVE-2009-1339.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T07:17:25.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20100803 CVE 2009 request: twiki before 4.3.2 CSRF",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/08/02/17"
},
{
"name": "[oss-security] 20100803 Re: CVE 2009 request: twiki before 4.3.2 CSRF",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2010/08/03/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://twiki.org/cgi-bin/view/Codev/SecurityAuditTokenBasedCsrfFix"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.2 allows remote attackers to hijack the authentication of arbitrary users for requests that update pages, as demonstrated by a URL for a save script in the ACTION attribute of a FORM element, in conjunction with a call to the submit method in the onload attribute of a BODY element. NOTE: this issue exists because of an insufficient fix for CVE-2009-1339."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-09-07T16:30:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20100803 CVE 2009 request: twiki before 4.3.2 CSRF",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/08/02/17"
},
{
"name": "[oss-security] 20100803 Re: CVE 2009 request: twiki before 4.3.2 CSRF",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2010/08/03/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://twiki.org/cgi-bin/view/Codev/SecurityAuditTokenBasedCsrfFix"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2009-4898",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.2 allows remote attackers to hijack the authentication of arbitrary users for requests that update pages, as demonstrated by a URL for a save script in the ACTION attribute of a FORM element, in conjunction with a call to the submit method in the onload attribute of a BODY element. NOTE: this issue exists because of an insufficient fix for CVE-2009-1339."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20100803 CVE 2009 request: twiki before 4.3.2 CSRF",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2010/08/02/17"
},
{
"name": "[oss-security] 20100803 Re: CVE 2009 request: twiki before 4.3.2 CSRF",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2010/08/03/8"
},
{
"name": "http://twiki.org/cgi-bin/view/Codev/SecurityAuditTokenBasedCsrfFix",
"refsource": "CONFIRM",
"url": "http://twiki.org/cgi-bin/view/Codev/SecurityAuditTokenBasedCsrfFix"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2009-4898",
"datePublished": "2010-09-07T16:30:00Z",
"dateReserved": "2010-06-15T00:00:00Z",
"dateUpdated": "2024-09-16T18:49:22.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2009-4898\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2010-09-07T17:00:01.747\",\"lastModified\":\"2025-04-11T00:51:21.963\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.2 allows remote attackers to hijack the authentication of arbitrary users for requests that update pages, as demonstrated by a URL for a save script in the ACTION attribute of a FORM element, in conjunction with a call to the submit method in the onload attribute of a BODY element. NOTE: this issue exists because of an insufficient fix for CVE-2009-1339.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de Falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en TWiki antes de v4.3.2 permite a atacantes remotos secuestrar la autenticaci\u00f3n de cualquier usuario que soliciten actualizar una p\u00e1gina, como lo demuestra una direcci\u00f3n URL para guardar un script en el atributo ACTION de un elemento FORM, junto con una llamada al m\u00e9todo submit en el atributo onload de un elemento BODY. NOTA: este problema existe debido a una resoluci\u00f3n incompleta al CVE-2009-1339.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.3.1\",\"matchCriteriaId\":\"1C548C1F-E9DE-448C-ABA6-A8C8B5B77234\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F893E121-82FA-41C8-9BA4-606E6DA01408\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"47807C3A-8430-48E3-A7C8-C5A1FEDF84C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"620356EA-F106-41DF-AADA-C1EF5A5A0829\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"979D8BC8-0032-496F-9503-F3BBBC8FA7CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0804FF93-6554-4F56-9974-017198ED5F44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"41445C95-0309-4B90-B725-87D2FE87C9A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C9996E5B-36AD-407F-B3B6-839CE8E5913E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"748325A4-A237-498A-A185-905FC921D2A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9FE3EEC6-7E05-4A37-97AA-D73E7D7A0E01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"855671F5-C215-4382-B512-4ABD9D66F13D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E9C00515-CFEE-427A-BACE-B3140B0D6C67\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E9CF4F9B-7ADF-47A2-A556-10CCF7401DA9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"81DDB420-E707-4319-8395-531FC0D84E5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D7A5A57-AE7D-4D3E-A280-41676F355AEE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:twiki:twiki:4.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"710F8276-1147-4EAD-9C34-5F2FEE636F8D\"}]}]}],\"references\":[{\"url\":\"http://twiki.org/cgi-bin/view/Codev/SecurityAuditTokenBasedCsrfFix\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2010/08/02/17\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2010/08/03/8\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://twiki.org/cgi-bin/view/Codev/SecurityAuditTokenBasedCsrfFix\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2010/08/02/17\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2010/08/03/8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…