CVE-2008-7193

EUVD-2008-7152
PHPKIT 1.6.4 PL1 includes the session ID in the URL, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks by reading the PHPKITSID parameter from the HTTP Referer and using it in a request to (1) modify the user profile via upload_files/include.php or (2) create a new administrator via upload_files/pk/include.php.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Affected Products (NVD)
VendorProductVersion
phpkitphpkit
1.6.4pl1:pl1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://osvdb.org/50998
http://www.securityfocus.com/archive/1/487249/100/200/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/40033
http://osvdb.org/50998
http://www.securityfocus.com/archive/1/487249/100/200/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/40033