CVE-2011-4498

Cross-site request forgery (CSRF) vulnerability in the web console in Zenprise Device Manager 6.x through 6.1.8 allows remote attackers to hijack the authentication of administrators for requests that wipe mobile devices.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.kb.cert.org/vuls/id/584363	Patch US Government Resource
http://www.zenpriseportal.com/patches/ZP_SecPatch_618_9995.zip	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zenprise:zenprise_device_manager:6.0:::::::*
	cpe:2.3:a:zenprise:zenprise_device_manager:6.1.0:::::::*
	cpe:2.3:a:zenprise:zenprise_device_manager:6.1.5:::::::*
	cpe:2.3:a:zenprise:zenprise_device_manager:6.1.6:::::::*
	cpe:2.3:a:zenprise:zenprise_device_manager:6.1.8:::::::*

History

No history.

Information

Published : 2011-11-21 11:55

Updated : 2011-11-21 11:55

NVD link : CVE-2011-4498

Mitre link : CVE-2011-4498

CVE.ORG link : CVE-2011-4498

JSON object : View

Products Affected

zenprise

zenprise_device_manager

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2011-4498", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2011-11-21T11:55:04.697", "references": [{"url": "http://www.kb.cert.org/vuls/id/584363", "tags": ["Patch", "US Government Resource"], "source": "cve@mitre.org"}, {"url": "http://www.zenpriseportal.com/patches/ZP_SecPatch_618_9995.zip", "tags": ["Patch"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in the web console in Zenprise Device Manager 6.x through 6.1.8 allows remote attackers to hijack the authentication of administrators for requests that wipe mobile devices."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados en la consola web en Zenprise Device Manager v6.x hasta v6.1.8, permite a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para peticiones que limpien dispositivos m\u00f3viles"}], "lastModified": "2011-11-21T11:55:04.697", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zenprise:zenprise_device_manager:6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4069641D-E045-47A7-8E79-76348EB0D6E5"}, {"criteria": "cpe:2.3:a:zenprise:zenprise_device_manager:6.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52B2CEB2-F213-4AC1-8F0B-DEB220E6DA52"}, {"criteria": "cpe:2.3:a:zenprise:zenprise_device_manager:6.1.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC540549-862A-43B3-86FA-2EDF450CC034"}, {"criteria": "cpe:2.3:a:zenprise:zenprise_device_manager:6.1.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5336DEB9-7141-47A1-8B1F-93DC9BDCC5E4"}, {"criteria": "cpe:2.3:a:zenprise:zenprise_device_manager:6.1.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D3ACACB-93D6-487F-8F75-CAD2A96FA23C"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}