ViMbAdmin CSRF Vulnerabilities

Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to

add an administrator user via a crafted POST request to <vimbadmin directory>/application/controllers/DomainController.php,
remove an administrator user via a crafted GET request to <vimbadmin directory>/application/controllers/DomainController.php,
change an administrator password via a crafted POST request to <vimbadmin directory>/application/controllers/DomainController.php,
add a mailbox via a crafted POST request to <vimbadmin directory>/application/controllers/MailboxController.php,
delete a mailbox via a crafted POST request to <vimbadmin directory>/application/controllers/MailboxController.php,
archive a mailbox address via a crafted GET request to <vimbadmin directory>/application/controllers/ArchiveController.php,
add an alias address via a crafted POST request to <vimbadmin directory>/application/controllers/AliasController.php, or
remove an alias address via a crafted GET request to <vimbadmin directory>/application/controllers/AliasController.php.

References

Published by the National Vulnerability Database Jun 27, 2017

Published to the GitHub Advisory Database May 17, 2022

Reviewed Apr 25, 2024

Last updated Apr 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Exploit Prediction Scoring System (EPSS)

Weaknesses

Cross-Site Request Forgery (CSRF)

CVE ID

GHSA ID

Source code

Uh oh!