CVE-2017-16244
OctoberCMS 1.0.426 (Build 426) - Cross-Site Request Forgery
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a certain _handler postback variable.
Existe Cross-Site Request Forgery (CSRF) en OctoberCMS 1.0.426 (también conocido como Build 426) debido a la validación incorrecta de tokens CSRF para la gestión de postback, lo que permite que un atacante consiga controlar la cuenta de la víctima. El ataque omite un mecanismo de protección que implica cabeceras X-CSRF y tokens CSRF mediante una determinada variable de postback _handler.
OctoberCMS version 1.0.426 (Build 426) suffers from a cross site request forgery vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-10-31 CVE Reserved
- 2017-11-01 CVE Published
- 2023-08-16 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/43106 | 2024-08-05 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0 | 2020-08-03 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Octobercms Search vendor "Octobercms" | October Search vendor "Octobercms" for product "October" | 1.0.426 Search vendor "Octobercms" for product "October" and version "1.0.426" | - |
Affected
| ||||||