CVE-2018-7634

{"id": "CVE-2018-7634", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2018-03-01T23:29:00.607", "references": [{"url": "https://github.com/Enalean/tuleap/commit/0843c046eee54b16ec6a7753c575838212770189", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://mustafairan.wordpress.com/2018/03/05/tuleap-mail-change-csrf-vulnerability-leads-to-account-takeover/", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://tuleap.net/plugins/git/tuleap/tuleap/stable?p=tuleap%2Fstable.git&a=commit&h=d6701289ae55de900929ff0f66313fa9771a198d", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://tuleap.net/plugins/tracker/?aid=11217", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://twitter.com/Mustafaran/status/970745812887199744", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack mitigation while changing an e-mail address makes it possible to abuse the functionality by attackers. By making a CSRF attack, an attacker could make a victim change his registered e-mail address on the application, leading to account takeover."}, {"lang": "es", "value": "Se ha descubierto un problema en Enalean Tuleap 9.17. La falta de mitigaci\u00f3n de ataques Cross-Site Request Forgery (CSRF) al cambiar una direcci\u00f3n de email posibilita que los atacantes puedan abusar de la funcionalidad. Mediante la realizaci\u00f3n de un ataque de CSRF, un atacante podr\u00eda hacer que una v\u00edctima cambie su direcci\u00f3n de email registrada en la aplicaci\u00f3n, lo que conduce a la toma de control de la cuenta."}], "lastModified": "2018-03-22T13:59:47.687", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:enalean:tuleap:9.17:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D788FEE9-7E6B-48C7-A867-D29BDCA98ADF"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}