BID:105869

TIBCO ActiveSpaces Administrative Daemon CVE-2018-12411 Cross Site Request Forgery Vulnerability

CVE-2018-12411 |

Info

TIBCO ActiveSpaces Administrative Daemon CVE-2018-12411 Cross Site Request Forgery Vulnerability

Bugtraq ID:	105869
Class:	Input Validation Error
CVE:	CVE-2018-12411
Remote:	Yes
Local:	No
Published:	Nov 06 2018 12:00AM
Updated:	Nov 06 2018 12:00AM
Credit:	The vendor reported this issue.
Vulnerable:	TIBCO ActiveSpaces - Enterprise Edition 3.5 TIBCO ActiveSpaces - Enterprise Edition 3.4 TIBCO ActiveSpaces - Enterprise Edition 3.3 TIBCO ActiveSpaces - Enterprise Edition 3.2 TIBCO ActiveSpaces - Enterprise Edition 3.1 TIBCO ActiveSpaces - Enterprise Edition 3.0 TIBCO ActiveSpaces - Developer Edition 3.5 TIBCO ActiveSpaces - Developer Edition 3.4 TIBCO ActiveSpaces - Developer Edition 3.3 TIBCO ActiveSpaces - Developer Edition 3.1 TIBCO ActiveSpaces - Developer Edition 3.0 TIBCO ActiveSpaces - Community Edition 3.5 TIBCO ActiveSpaces - Community Edition 3.4 TIBCO ActiveSpaces - Community Edition 3.3

Not Vulnerable:	TIBCO ActiveSpaces - Enterprise Edition 3.5.1 TIBCO ActiveSpaces - Developer Edition 3.5.1 TIBCO ActiveSpaces - Community Edition 3.5.1

Discussion

TIBCO ActiveSpaces Administrative Daemon CVE-2018-12411 Cross Site Request Forgery Vulnerability

TIBCO ActiveSpaces is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.

The following versions are affected:

TIBCO ActiveSpaces - Community Edition versions 3.3.0, 3.4.0, and 3.5.0
TIBCO ActiveSpaces - Developer Edition versions 3.0.0, 3.1.0, 3.3.0, 3.4.0, and 3.5.0
TIBCO ActiveSpaces - Enterprise Edition versions 3.0.0, 3.1.0, 3.2.0, 3.3.0, 3.4.0, and 3.5.0

Exploit / POC

TIBCO ActiveSpaces Administrative Daemon CVE-2018-12411 Cross Site Request Forgery Vulnerability

An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.

Solution / Fix

TIBCO ActiveSpaces Administrative Daemon CVE-2018-12411 Cross Site Request Forgery Vulnerability

Solution:
Vendor updates are available. Please see the references for more information.

References

TIBCO ActiveSpaces Administrative Daemon CVE-2018-12411 Cross Site Request Forgery Vulnerability

References:

TIBCO Homepage (TIBCO)
TIBCO ActiveSpaces Administrative Daemon Vulnerable to CSRF Attacks (TIBCO)