Cross-site request forgery (CSRF) vulnerability in am.pl in SQL-Ledger 2.8.24 allows remote attackers to hijack the authentication of arbitrary users for requests that change a password via the login, new_password, and confirm_password parameters in a preferences action.
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Sql-ledger | Sql-ledger | 2.8.24 (including) | 2.8.24 (including) |
Sql-ledger | Ubuntu | dapper | * |
Sql-ledger | Ubuntu | esm-apps/xenial | * |
Sql-ledger | Ubuntu | hardy | * |
Sql-ledger | Ubuntu | intrepid | * |
Sql-ledger | Ubuntu | jaunty | * |
Sql-ledger | Ubuntu | karmic | * |
Sql-ledger | Ubuntu | lucid | * |
Sql-ledger | Ubuntu | maverick | * |
Sql-ledger | Ubuntu | natty | * |
Sql-ledger | Ubuntu | oneiric | * |
Sql-ledger | Ubuntu | precise | * |
Sql-ledger | Ubuntu | quantal | * |
Sql-ledger | Ubuntu | raring | * |
Sql-ledger | Ubuntu | saucy | * |
Sql-ledger | Ubuntu | trusty | * |
Sql-ledger | Ubuntu | upstream | * |
Sql-ledger | Ubuntu | utopic | * |
Sql-ledger | Ubuntu | vivid | * |
Sql-ledger | Ubuntu | wily | * |
Sql-ledger | Ubuntu | xenial | * |
Sql-ledger | Ubuntu | yakkety | * |
Sql-ledger | Ubuntu | zesty | * |