Skip to main content

Zenoss Core CVE-2014-6253

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2014-12-15 cve@mitre.org
6.8
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:M/Au:N/C:P/I:P/A:P
Attack Vector
Network
Attack Complexity
M
Confidentiality
P
Integrity
P
Availability
P

Lifecycle Timeline

1
CVE Published
Dec 15, 2014 - 18:59 cve.org
MEDIUM 6.8

DescriptionCVE.org

Multiple cross-site request forgery (CSRF) vulnerabilities in Zenoss Core through 5 Beta 3 allow remote attackers to hijack the authentication of arbitrary users, aka ZEN-12653.

AnalysisAI

Multiple cross-site request forgery (CSRF) vulnerabilities in Zenoss Core through 5 Beta 3 allow remote attackers to hijack the authentication of arbitrary users, aka ZEN-12653. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Multiple cross-site request forgery (CSRF) vulnerabilities in Zenoss Core through 5 Beta 3 allow remote attackers to hijack the authentication of arbitrary users, aka ZEN-12653. Affected products include: Zenoss Zenoss Core. Version information: through 5.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2014-6261 CRITICAL
9.3 Dec 15

Zenoss Core through 5 Beta 3 does not properly implement the Check For Updates feature, which allows remote attackers to

CVE-2014-9249 HIGH
7.5 Dec 15

The default configuration of Zenoss Core before 5 allows remote attackers to read or modify database information by conn

CVE-2014-6256 HIGH
7.5 Dec 15

Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions and place files in a directo

CVE-2014-9385 MEDIUM
6.8 Dec 15

Cross-site request forgery (CSRF) vulnerability in Zenoss Core through 5 Beta 3 allows remote attackers to hijack the au

CVE-2014-9386 MEDIUM
6.8 Dec 15

Zenoss Core before 4.2.5 SP161 sets an infinite lifetime for the session ID cookie, which makes it easier for remote att

CVE-2014-6260 MEDIUM
6.8 Dec 15

Zenoss Core through 5 Beta 3 does not require a password for modifying the pager command string, which allows remote att

CVE-2014-6255 MEDIUM
6.4 Dec 15

Open redirect vulnerability in the login form in Zenoss Core before 4.2.5 SP161 allows remote attackers to redirect user

CVE-2014-6259 MEDIUM
5.0 Dec 15

Zenoss Core through 5 Beta 3 does not properly detect recursion during entity expansion, which allows remote attackers t

CVE-2014-6258 MEDIUM
5.0 Dec 15

An unspecified endpoint in Zenoss Core through 5 Beta 3 allows remote attackers to cause a denial of service (CPU consum

CVE-2014-9248 MEDIUM
5.0 Dec 15

Zenoss Core through 5 Beta 3 does not require complex passwords, which makes it easier for remote attackers to obtain ac

CVE-2014-6257 MEDIUM
5.0 Dec 15

Zenoss Core through 5 Beta 3 allows remote attackers to bypass intended access restrictions by using a web-endpoint URL

CVE-2014-9250 MEDIUM
5.0 Dec 15

Zenoss Core through 5 Beta 3 does not include the HTTPOnly flag in a Set-Cookie header for the authentication cookie, wh

Share

CVE-2014-6253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy