| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5720D6DE.5040101@securify.nl> Date: Wed, 27 Apr 2016 17:12:30 +0200 From: "Securify B.V." <lists@...urify.nl> To: fulldisclosure@...lists.org Subject: [FD] EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection ------------------------------------------------------------------------ EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection ------------------------------------------------------------------------ Han Sahin, November 2014 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that EMC M&R (Watch4net) does not protect against Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can compromise end user data and may allow an attacker to perform an account hijack. If the targeted end user is the administrator account, this results in a full compromise of Watch4net. ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ Versions of EMC ViPR SRM prior to version 3.7 are affected by these vulnerabilities. ------------------------------------------------------------------------ See also ------------------------------------------------------------------------ - http://seclists.org/bugtraq/2016/Apr/att-106/ESA-2016-039.txt - CVE-2016-0891 ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ EMC released 34247_ViPR-SRM to fix these vulnerabilities. Please note that this fix is only available for registered EMC Online Support customers. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20141109/emc_m_r__watch4net__lacks_cross_site_request_forgery_protection.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists