search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ActiveCollab permissions failure

Vulnerability Note VU#236703

Original Release Date: 2010-10-04 | Last Revised: 2010-10-04


An authenticated user can view and delete projects or files that they are not assigned to.


An authenticated user with no permission to a project can subscribe to the project, delete files, and possibly take other actions by loading a specifically crafted URL. Specific fields for the URL would most likely not be known to the attacker but a brute force attack could still be used to try all possibilities. ActiveCollab 2.3.1 is known to be vulnerable. Earlier versions may be vulnerable as well.


An authenticated attacker could view or modify projects they are not assigned to, resulting in loss of data integrity and confidentiality. An unauthenticated attacker may use a cross-site request forgery (XSRF) attack to trick an authenticated user into visiting a specifically crafted malicious URL as well.


Upgrade to ActiveCollab 2.3.2 or newer.

Vendor Information


A51 DOO Affected

Notified:  August 19, 2010 Updated: August 20, 2010



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector



Thanks to Robin Wood for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2010-0215
Severity Metric: 0.00
Date Public: 2010-10-04
Date First Published: 2010-10-04
Date Last Updated: 2010-10-04 12:42 UTC
Document Revision: 25

Sponsored by CISA.