CVE-2010-0713

EUVD-2010-0740
Multiple cross-site request forgery (CSRF) vulnerabilities in Zenoss 2.3.3, and other versions before 2.5, allow remote attackers to hijack the authentication of an administrator for (1) requests that reset user passwords via zport/dmd/ZenUsers/admin, and (2) requests that change user commands, which allows for remote execution of system commands via zport/dmd/userCommands/.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
Affected Products (NVD)
VendorProductVersion
zenosszenoss
𝑥
≤ 2.4.5
zenosszenoss
2.3.0
zenosszenoss
2.3.3
zenosszenoss
2.4.0
zenosszenoss
2.4.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://osvdb.org/61805
http://secunia.com/advisories/38195
http://www.ngenuity.org/wordpress/2010/01/14/ngenuity-2010-002-zenoss-multiple-admin-csrf/
http://www.securityfocus.com/archive/1/508982/100/0/threaded
http://www.securityfocus.com/bid/37843
http://www.zenoss.com/news/SQL-Injection-and-Cross-Site-Forgery-in-Zenoss-Core-Corrected.html
http://osvdb.org/61805
http://secunia.com/advisories/38195
http://www.ngenuity.org/wordpress/2010/01/14/ngenuity-2010-002-zenoss-multiple-admin-csrf/
http://www.securityfocus.com/archive/1/508982/100/0/threaded
http://www.securityfocus.com/bid/37843
http://www.zenoss.com/news/SQL-Injection-and-Cross-Site-Forgery-in-Zenoss-Core-Corrected.html