An authenticated user can view and delete projects or files that they are not assigned to.
An authenticated user with no permission to a project can subscribe to the project, delete files, and possibly take other actions by loading a specifically crafted URL. Specific fields for the URL would most likely not be known to the attacker but a brute force attack could still be used to try all possibilities. ActiveCollab 2.3.1 is known to be vulnerable. Earlier versions may be vulnerable as well.
An authenticated attacker could view or modify projects they are not assigned to, resulting in loss of data integrity and confidentiality. An unauthenticated attacker may use a cross-site request forgery (XSRF) attack to trick an authenticated user into visiting a specifically crafted malicious URL as well.
Upgrade to ActiveCollab 2.3.2 or newer.
Thanks to Robin Wood for reporting this vulnerability.
This document was written by Jared Allar.
|Date First Published:||2010-10-04|
|Date Last Updated:||2010-10-04 12:42 UTC|