Vulnerability-Lookup

CERTA-2009-AVI-502

Vulnerability from certfr_avis - Published: 2009-11-17 - Updated: 2009-11-17

Une vulnérabilité dans XOOPS permet à un utilisateur de faire une demande d'activation sans que l'administrateur du site Web ne soit averti.

Description

La fonction d'envoi de demande d'activation est accessible pour tous les utilisateurs. Cette fonction envoie une demande d'activation sans avertir l'administrateur du site Web.

Solution

Mettre à jour le logiciel (cf. section Documentation).

XOOPS versions antérieures à 2.4.1.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de mise à jour de XOOPS	None	vendor-advisory
Bulletin de mise à jour du 11 novembre 2009 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eXOOPS versions ant\u00e9rieures \u00e0 2.4.1.\u003c/p\u003e",
  "content": "## Description\n\nLa fonction d\u0027envoi de demande d\u0027activation est accessible pour tous les\nutilisateurs. Cette fonction envoie une demande d\u0027activation sans\navertir l\u0027administrateur du site Web.\n\n## Solution\n\nMettre \u00e0 jour le logiciel (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2009-11-17T00:00:00",
  "last_revision_date": "2009-11-17T00:00:00",
  "links": [
    {
      "title": "Bulletin de mise \u00e0 jour du 11 novembre 2009 :",
      "url": "http://www.xoops.org/modules/news/article.php?storyid=5096"
    }
  ],
  "reference": "CERTA-2009-AVI-502",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2009-11-17T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans XOOPS permet \u00e0 un utilisateur de faire une\ndemande d\u0027activation sans que l\u0027administrateur du site Web ne soit\naverti.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans XOOPS",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de mise \u00e0 jour de XOOPS",
      "url": null
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted