8.8

CVE-2018-7634

Exploit
An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack mitigation while changing an e-mail address makes it possible to abuse the functionality by attackers. By making a CSRF attack, an attacker could make a victim change his registered e-mail address on the application, leading to account takeover.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
EnaleanTuleap Version9.17
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.82% 0.523
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://github.com/Enalean/tuleap/commit/0843c046eee54b16ec6a7753c575838212770189
Patch
https://mustafairan.wordpress.com/2018/03/05/tuleap-mail-change-csrf-vulnerability-leads-to-account-takeover/
Patch
Third Party Advisory
Exploit
https://tuleap.net/plugins/git/tuleap/tuleap/stable?p=tuleap%2Fstable.git&a=commit&h=d6701289ae55de900929ff0f66313fa9771a198d
Patch
Vendor Advisory
Issue Tracking
https://tuleap.net/plugins/tracker/?aid=11217
Patch
Vendor Advisory
https://twitter.com/Mustafaran/status/970745812887199744
Third Party Advisory
Exploit