Skip to main content

E107 CVE-2017-8098

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2017-04-24 cve@mitre.org
6.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 24, 2017 - 18:59 cve.org
MEDIUM 6.5

DescriptionCVE.org

e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker.

AnalysisAI

e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker. Affected products include: E107.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

More in E107

View all
CVE-2022-50905 CRITICAL POC
9.8 Jan 13

e107 CMS 3.2.1 has multiple XSS vulnerabilities in news comments that allow executing arbitrary JavaScript. Rated CVSS 9

CVE-2021-27885 HIGH POC
8.8 Mar 02

usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism. Rated high severity (CVSS 8.8), thi

CVE-2018-15901 HIGH POC
8.8 Aug 28

e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including admini

CVE-2022-50939 HIGH POC
7.2 Jan 13

e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to overrid

CVE-2016-10378 HIGH POC
7.2 May 29

e107 2.1.1 allows SQL injection by remote authenticated administrators via the pagelist parameter to e107_admin/menus.ph

CVE-2022-50907 HIGH POC
7.2 Jan 13

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upl

CVE-2022-50916 HIGH POC
7.2 Jan 13

e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server

CVE-2018-16388 HIGH POC
7.2 Sep 12

e107_web/js/plupload/upload.php in e107 2.1.8 allows remote attackers to execute arbitrary PHP code by uploading a .php

CVE-2012-6433 MEDIUM POC
6.8 Jan 03

Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hija

CVE-2012-6434 MEDIUM POC
6.8 Jan 03

Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attacke

CVE-2018-16381 MEDIUM POC
6.1 Sep 05

e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter. Rated medium severity (C

CVE-2023-36121 MEDIUM POC
5.4 Aug 02

Cross Site Scripting vulnerability in e107 v.2.3.2 allows a remote attacker to execute arbitrary code via the descriptio

Share

CVE-2017-8098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy