Vulnerability Description
Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_token parameter of a URI, which makes it easier for remote attackers to defeat a CSRF protection mechanism by leveraging logging.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 8.0 |
| Ldap-Account-Manager | Ldap Account Manager | < 6.3 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/146858/LDAP-Account-Manager-6.2-Cross-Site-ExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2018/Mar/45ExploitMailing ListThird Party Advisory
- https://www.debian.org/security/2018/dsa-4165Third Party Advisory
- http://packetstormsecurity.com/files/146858/LDAP-Account-Manager-6.2-Cross-Site-ExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2018/Mar/45ExploitMailing ListThird Party Advisory
- https://www.debian.org/security/2018/dsa-4165Third Party Advisory
FAQ
What is CVE-2018-8764?
CVE-2018-8764 is a vulnerability with a CVSS score of 8.8 (HIGH). Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_token parameter of a URI, which makes it easier for remote attackers to defeat a CSRF protection mechan...
How severe is CVE-2018-8764?
CVE-2018-8764 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-8764?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Ldap-Account-Manager Ldap Account Manager.