CVE-2008-7139

01.09.2009, 16:30

Multiple cross-site request forgery (CSRF) vulnerabilities in WS-Proxy in Eye-Fi 1.1.2 allow remote attackers to hijack the authentication of users for requests that modify configuration via a SOAPAction parameter of (1) urn:SetOptions for autostart, (2) urn:SetDesktopSync for file upload, or (3) urn:SetFolderConfig for file download location or modification of authentication credentials; and (4) urn:AddNetwork for adding an arbitrary Service Set Identifier (SSID) to hijack the image upload.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.8 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:N/C:P/I:P/A:P
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 49%

Vendor	Product	Version
eye.fi	eye-fi_manager	1.1.2

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

http://osvdb.org/42718

http://secunia.com/advisories/29221

http://www.informit.com/articles/article.aspx?p=1177111

http://www.securityfocus.com/archive/1/489045/100/0/threaded

http://www.securityfocus.com/bid/28085

https://exchange.xforce.ibmcloud.com/vulnerabilities/40995

http://osvdb.org/42718

http://secunia.com/advisories/29221

http://www.informit.com/articles/article.aspx?p=1177111

http://www.securityfocus.com/archive/1/489045/100/0/threaded

http://www.securityfocus.com/bid/28085

https://exchange.xforce.ibmcloud.com/vulnerabilities/40995