Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Informations
Name MDVSA-2010:015 First vendor Publication 2010-01-19
Vendor Mandriva Last vendor Modification 2010-01-19
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Multiple vulnerabilities has been found and corrected in transmission:

A number of dependency probles were discovered and has been corrected with this release (#56006).

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that modify user information via unspecified vectors, a different vulnerability than CVE-2009-4077 (CVE-2009-4076).

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that send arbitrary emails via unspecified vectors, a different vulnerability than CVE-2009-4076 (CVE-2009-4077).

The updated packages have been patched to correct these issues. Additionally roundcubemail has been upgraded to 0.2.2 that also fixes a number of upstream bugs.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2010:015

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 22

OpenVAS Exploits

Date Description
2010-01-20 Name : Mandriva Update for roundcubemail MDVSA-2010:015 (roundcubemail)
File : nvt/gb_mandriva_MDVSA_2010_015.nasl
2009-12-10 Name : Fedora Core 10 FEDORA-2009-12481 (roundcubemail)
File : nvt/fcore_2009_12481.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
60567 RoundCube Webmail Arbitrary Email Send Unspecified CSRF
59661 RoundCube Webmail User Information Modification CSRF

Nessus® Vulnerability Scanner

Date Description
2009-12-02 Name : The remote Fedora host is missing a security update.
File : fedora_2009-12481.nasl - Type : ACT_GATHER_INFO