6.5
CVE-2019-12923
- EPSS 0.04%
- Veröffentlicht 08.07.2019 21:15:09
- Zuletzt bearbeitet 21.11.2024 04:23:49
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginIn MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request. This could allow an attacker to manipulate a user into unwittingly performing actions within the application (such as sending email, adding contacts, or changing settings) on behalf of the attacker.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mailenable ≫ Mailenable SwEditionpremium Version >= 6.0 < 6.90
Mailenable ≫ Mailenable SwEditionpremium Version >= 7.0 < 7.62
Mailenable ≫ Mailenable SwEditionpremium Version >= 8.00 < 8.64
Mailenable ≫ Mailenable SwEditionpremium Version >= 9.0 < 9.83
Mailenable ≫ Mailenable SwEditionpremium Version >= 10.00 < 10.24
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.094 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.