CVE-2017-15063 - Vulnerability Details - OpenCVE

There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/database.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Intelliants	Subrion

Configuration 1 [-]

cpe:2.3:a:intelliants:subrion:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/intelliants/subrion/issues/547
https://github.com/intelliants/subrion/issues/570

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-10-06T07:00:00

Updated: 2024-08-05T19:42:22.366Z

Reserved: 2017-10-06T00:00:00

Link: CVE-2017-15063

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-10-06T07:29:00.253

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-15063

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-10-06T00:00:00", "descriptions": [{"lang": "en", "value": "There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/database."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-17T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/intelliants/subrion/issues/570"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/intelliants/subrion/issues/547"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-15063", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/database."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/intelliants/subrion/issues/570", "refsource": "MISC", "url": "https://github.com/intelliants/subrion/issues/570"}, {"name": "https://github.com/intelliants/subrion/issues/547", "refsource": "MISC", "url": "https://github.com/intelliants/subrion/issues/547"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:42:22.366Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/intelliants/subrion/issues/570"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/intelliants/subrion/issues/547"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-15063", "datePublished": "2017-10-06T07:00:00", "dateReserved": "2017-10-06T00:00:00", "dateUpdated": "2024-08-05T19:42:22.366Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:intelliants:subrion:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B85D0B5-A4C7-4405-BE56-E90E20F3678E", "versionEndIncluding": "4.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and before 4.2.0, because of a logic error. Although there is functionality to detect CSRF, it is called too late in the ia.core.php code, allowing (for example) an attack against the query parameter to panel/database."}, {"lang": "es", "value": "Existen vulnerabilidades de Cross-Site Request Forgery (CSRF) en Subrion CMS en versiones 4.1.x hasta la 4.1.5 y en versiones anteriores a la 4.2.0 debido a un error de l\u00f3gica. Aunque existen funcionalidades para detectar CSRF, se llaman demasiado tarde en el c\u00f3digo ia.core.php, lo que permite (por ejemplo), un ataque contra el par\u00e1metro query en panel/database."}], "id": "CVE-2017-15063", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-06T07:29:00.253", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://github.com/intelliants/subrion/issues/547"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/intelliants/subrion/issues/570"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://github.com/intelliants/subrion/issues/547"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/intelliants/subrion/issues/570"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}