CVE-2017-8930

{"id": "CVE-2017-8930", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2017-05-14T22:29:00.273", "references": [{"url": "https://github.com/simpleinvoices/simpleinvoices/issues/270", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Simple Invoices 2013.1.beta.8 allow remote attackers to hijack the authentication of admins for requests that can (1) create new administrator user accounts and take over the entire application, (2) create regular user accounts, or (3) change configuration parameters such as tax rates and the enable/disable status of PayPal payment modules."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de tipo cross-site request forgery (CSRF) en Simple Invoices versi\u00f3n 2013.1.beta.8, permiten a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para peticiones que pueden (1) crear nuevas cuentas de usuario de administrador y tomar control de toda la aplicaci\u00f3n, (2) crear cuentas de usuario normales, o (3) cambiar los par\u00e1metros de configuraci\u00f3n, tales como tax rates y el estado de habilitaci\u00f3n y inhabilitaci\u00f3n de los m\u00f3dulos de pago de PayPal."}], "lastModified": "2017-05-25T15:41:15.437", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:simpleinvoices:simple_invoices:2013.1:beta8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D66ABC94-E4AD-4E4D-9F6D-82BD15F5C5A9"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}