search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ActiveCollab permissions failure

Vulnerability Note VU#236703

Original Release Date: 2010-10-04 | Last Revised: 2010-10-04

Overview

An authenticated user can view and delete projects or files that they are not assigned to.

Description

An authenticated user with no permission to a project can subscribe to the project, delete files, and possibly take other actions by loading a specifically crafted URL. Specific fields for the URL would most likely not be known to the attacker but a brute force attack could still be used to try all possibilities. ActiveCollab 2.3.1 is known to be vulnerable. Earlier versions may be vulnerable as well.

Impact

An authenticated attacker could view or modify projects they are not assigned to, resulting in loss of data integrity and confidentiality. An unauthenticated attacker may use a cross-site request forgery (XSRF) attack to trick an authenticated user into visiting a specifically crafted malicious URL as well.

Solution

Upgrade to ActiveCollab 2.3.2 or newer.

Vendor Information

236703
 
Affected   Unknown   Unaffected

A51 DOO

Notified:  August 19, 2010 Updated:  August 20, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.activecollab.com/news/activecollab-2-3-2-is-available-for-download/


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Robin Wood for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2010-0215
Severity Metric: 0.00
Date Public: 2010-10-04
Date First Published: 2010-10-04
Date Last Updated: 2010-10-04 12:42 UTC
Document Revision: 25

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.