Vulnerability Note VU#236703

ActiveCollab permissions failure

Original Release date: 04 Oct 2010 | Last revised: 04 Oct 2010

Overview

An authenticated user can view and delete projects or files that they are not assigned to.

Description

An authenticated user with no permission to a project can subscribe to the project, delete files, and possibly take other actions by loading a specifically crafted URL. Specific fields for the URL would most likely not be known to the attacker but a brute force attack could still be used to try all possibilities. ActiveCollab 2.3.1 is known to be vulnerable. Earlier versions may be vulnerable as well.

Impact

An authenticated attacker could view or modify projects they are not assigned to, resulting in loss of data integrity and confidentiality. An unauthenticated attacker may use a cross-site request forgery (XSRF) attack to trick an authenticated user into visiting a specifically crafted malicious URL as well.

Solution

Upgrade to ActiveCollab 2.3.2 or newer.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
A51 DOOAffected19 Aug 201020 Aug 2010
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Robin Wood for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2010-0215
  • Date Public: 04 Oct 2010
  • Date First Published: 04 Oct 2010
  • Date Last Updated: 04 Oct 2010
  • Severity Metric: 0.00
  • Document Revision: 25

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.