Trac MultiProject Plugin Clickjacking and Cross Site Request Forgery Vulnerabilities

Bugtraq ID:	58173
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Feb 26 2013 12:00AM
Updated:	Feb 26 2013 12:00AM
Credit:	The vendor reported these issues.
Vulnerable:
Not Vulnerable:

Trac MultiProject Plugin Clickjacking and Cross Site Request Forgery Vulnerabilities

MultiProject Plugin for Trac is prone to a clickjacking vulnerability and a cross-site request-forgery vulnerability.

Successful exploits will allow an attacker to perform unauthorized actions in the context of a user's session, compromise the affected application or obtain sensitive information. Other attacks are also possible.

MultiProject Plugin for Trac versions prior to 1.4.22 are vulnerable.

Trac MultiProject Plugin Clickjacking and Cross Site Request Forgery Vulnerabilities

An attacker can exploit the clickjacking issue by enticing an unsuspecting user to visit a crafted site. To exploit the cross-site request-forgery issue, attackers must entice an unsuspecting victim to follow a malicious URI.

Trac MultiProject Plugin Clickjacking and Cross Site Request Forgery Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Trac MultiProject Plugin Clickjacking and Cross Site Request Forgery Vulnerabilities

References: