activeCollab Multiple Security Vulnerabilities
BID:53698
Info
activeCollab Multiple Security Vulnerabilities
| Bugtraq ID: | 53698 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 24 2012 12:00AM |
| Updated: | May 24 2012 12:00AM |
| Credit: | Andrew Horton, Steven Seeley, and Pedram Hayati from Stratsec |
| Vulnerable: |
A51 activeCollab 2.1.1 A51 activeCollab 1.1.6 A51 activeCollab 1.1.5 A51 activeCollab 2.3.4 A51 activeCollab 2.3.2 A51 activeCollab 2.1 A51 activeCollab 0.7.1 |
| Not Vulnerable: |
A51 activeCollab 2.3.10 |
Discussion
activeCollab Multiple Security Vulnerabilities
activeCollab is prone to multiple security vulnerabilities including:
1. Multiple SQL-injection vulnerabilities
2. Multiple cross-site scripting vulnerabilities
3. A security-bypass vulnerability
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database and to bypass certain security restrictions and perform unauthorized actions; this may aid
in launching further attacks.
Versions prior to activeCollab 2.3.10 are vulnerable; other versions may also be affected.
activeCollab is prone to multiple security vulnerabilities including:
1. Multiple SQL-injection vulnerabilities
2. Multiple cross-site scripting vulnerabilities
3. A security-bypass vulnerability
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database and to bypass certain security restrictions and perform unauthorized actions; this may aid
in launching further attacks.
Versions prior to activeCollab 2.3.10 are vulnerable; other versions may also be affected.
Exploit / POC
activeCollab Multiple Security Vulnerabilities
Attackers can use a browser to exploit these issues. An attacker must trick a victim into following a malicious URI to exploit a cross-site scripting issue.
Attackers can use a browser to exploit these issues. An attacker must trick a victim into following a malicious URI to exploit a cross-site scripting issue.
Solution / Fix
activeCollab Multiple Security Vulnerabilities
Solution:
Updates are available. Please see the reference for more details.
Solution:
Updates are available. Please see the reference for more details.
References
activeCollab Multiple Security Vulnerabilities
References:
References:
- activeCollab 2.3.10 (A51)
- activeCollab Homepage (A51)
- activeCollab Multiple Remote Vulnerabilities (Stratsec Research)