| HIO-2009-0630 AIRT Multiple Vulnerabilities |
|
|
|
|
AIRT, the Application for Incident Response Teams, contains flaws that allow cross site request forgery and cross site scripting.
1) XSS: Input passed to the "status" parameter is not properly verified before being submitted to incident.php. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) CSRF: The application allows users to perform certain actions via HTTP requests without performing any validation checks to verify the requests. This can be exploited to e.g. add users via users.php when a logged in user views a malicious web page.
The vulnerabilities are confirmed in version 20090424.1 and earlier. Vendor has released version 20090726.1 to address this issue along with other updates.
References: CVE-2009-pending BID: FrSIRT: N/A Nessus:N/A SA: XF: Related: Vendor Solution: Upgrade to 20090726.1 |
| < Prev | Next > |
|---|