CVE-2013-5726

EUVD-2013-5563
Tweetbot 1.3.3 for Mac, and 2.8.5 for iPad and iPhone, does not require confirmation of (1) follow or (2) favorite actions, which allows remote attackers to automatically force the user to perform undesired actions, as demonstrated via the tweetbot:///follow/ URL.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Affected Products (NVD)
VendorProductVersion
tapbotstweetbot
1.3.3
tapbotstweetbot
2.8.5
tapbotstweetbot
2.8.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://blog.binaryfactory.ca/2013/11/cve-2013-5726-tweetbot-for-ios-and-mac-user-disclosureprivacy-issue/
http://osvdb.org/99256
http://seclists.org/fulldisclosure/2013/Nov/9
http://blog.binaryfactory.ca/2013/11/cve-2013-5726-tweetbot-for-ios-and-mac-user-disclosureprivacy-issue/
http://osvdb.org/99256
http://seclists.org/fulldisclosure/2013/Nov/9