CVE-2018-1000846

{"id": "CVE-2018-1000846", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2018-12-20T15:29:02.190", "references": [{"url": "https://github.com/funzoneq/freshdns/issues/7", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/funzoneq/freshdns/pull/6/commits/bdeff81bd4baff9463d46b90fb1889e7ac7ec4ed", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/funzoneq/freshdns/issues/7", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/funzoneq/freshdns/pull/6/commits/bdeff81bd4baff9463d46b90fb1889e7ac7ec4ed", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "FreshDNS version 1.0.3 and earlier contains a Cross ite Request Forgery (CSRF) vulnerability in All (authenticated) API calls in index.php / class.manager.php that can result in Editing domains and zones with victim's privileges. This attack appear to be exploitable via Victim must open a website containing attacker's javascript. This vulnerability appears to have been fixed in 1.0.5 and later."}, {"lang": "es", "value": "FreshDNS, en versiones 1.0.3 y anteriores, contiene una vulnerabilidad Cross-Site Request Forgery (CSRF) en todas las llamadas (autenticadas) de la API en index.php/class.manager.php que puede resultar en la edici\u00f3n de dominios y zonas con los privilegios de la v\u00edctima. Este ataque parece ser explotable si una v\u00edctima abre un sitio web que contiene el JavaScript del atacante. La vulnerabilidad parece haber sido solucionada en las versiones 1.0.5 y siguientes."}], "lastModified": "2024-11-21T03:40:29.030", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freshdns_project:freshdns:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "213D7381-7F7D-4624-A1E0-2ACFFFE4077E", "versionEndIncluding": "1.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}