CVE-2008-6478

Parallels Virtuozzo Containers 3.0.0-25.4/4.0.0-365.6 VZPP Interface File Manger - Cross-Site Request Forgery

Severity Score

6.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Cross-site request forgery (CSRF) vulnerability in the file manager in the VZPP web interface for Parallels Virtuozzo 365.6.swsoft (build 4.0.0-365.6.swsoft) and 25.4.swsoft (build 3.0.0-25.4.swsoft) allows remote attackers to create and delete arbitrary files as the administrator via a link or IMG tag to (1) create-file and (2) list-control in vz/cp/vzdir/infrman/envs/files/; or modify system configuration via the path parameter to vz/cp/vzdir/infrman/envs/files/index.

Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en el gestor de ficheros en el interfaz web VZPP en Parallels Virtuozzo 365.6.swsoft (disponible en v4.0.0 - v365.6.swsoft) y v25.4.swsoft (disponible en v3.0.0 - v25.4.swsoft) permite a atacantes remotos crear y borrar ficheros de su elección como usuario administrador mediante un enlace o etiqueta IMG en (1) "create-file" y (2) "list-control" en vz/cp/vzdir/infrman/envs/files/; o modificar configuración del sistema mediante el parémetro "path" en vz/cp/vzdir/infrman/envs/files/index.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2008-04-03 First Exploit
2009-03-16 CVE Reserved
2009-03-16 CVE Published
2024-08-07 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-352: Cross-Site Request Forgery (CSRF)

CAPEC

References (7)

URL	Tag	Source
http://osvdb.org/44395	Vdb Entry
http://px.dynalias.org/files/virtuozzo_overwrite.html.txt	X_refsource_misc
http://www.securityfocus.com/archive/1/490409/100/0/threaded	Mailing List
https://exchange.xforce.ibmcloud.com/vulnerabilities/41640	Vdb Entry

URL	Date	SRC
https://www.exploit-db.com/exploits/31603	2008-04-03
http://www.securityfocus.com/bid/28589	2024-08-07

URL	Date	SRC

URL	Date	SRC
http://secunia.com/advisories/29675	2018-10-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Parallels Search vendor "Parallels"		Virtuozzo Containers Search vendor "Parallels" for product "Virtuozzo Containers"				3.0.0-25.4.swsoft Search vendor "Parallels" for product "Virtuozzo Containers" and version "3.0.0-25.4.swsoft"		-		Affected
Parallels Search vendor "Parallels"		Virtuozzo Containers Search vendor "Parallels" for product "Virtuozzo Containers"				4.0.0-365.6.swsoft Search vendor "Parallels" for product "Virtuozzo Containers" and version "4.0.0-365.6.swsoft"		-		Affected