CVE-2017-6080

CRITICAL Year: 2017
CVSS v3 Score
9.8
Critical
CVSS v2 Score
7.5
High
Weakness Type
CWE-352
View all →

Vulnerability Description

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protection mechanism involving HTTP Access-Control headers. To exploit the vulnerability, an attacker can send cross-domain requests directly to the REST API for users with a valid session cookie and receive the result.

Related Vulnerabilities

CVE-2016-9866

CRITICAL
CVSS:9.8(Critical)

An issue was discovered in phpMyAdmin. When the arg_separator is different from its default & value, the CSRF token was not properly stripped from the return URL of the preference import action. All 4...

CWE-3522016

CVE-2017-16780

CRITICAL
CVSS:9.8(Critical)

The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.

CWE-3522017

CVE-2017-5959

CRITICAL
CVSS:9.8(Critical)

CSRF token bypass in GeniXCMS before 1.0.2 could result in escalation of privileges. The forgotpassword.php page can be used to acquire a token.

CWE-3522017

CVE-2018-18934

CRITICAL
CVSS:9.8(Critical)

An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing a...

CWE-3522018

CVE-2019-14551

CRITICAL
CVSS:9.8(Critical)

Das Q before 2019-08-02 allows web sites to execute arbitrary code on client machines, as demonstrated by a cross-origin /install request with an attacker-controlled releaseUrl, which triggers downloa...

CWE-3522019

CVE-2019-17495

CRITICAL
CVSS:9.8(Critical)

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltrat...

CWE-3522019