CVE-2008-7139 - OpenCVE

Multiple cross-site request forgery (CSRF) vulnerabilities in WS-Proxy in Eye-Fi 1.1.2 allow remote attackers to hijack the authentication of users for requests that modify configuration via a SOAPAction parameter of (1) urn:SetOptions for autostart, (2) urn:SetDesktopSync for file upload, or (3) urn:SetFolderConfig for file download location or modification of authentication credentials; and (4) urn:AddNetwork for adding an arbitrary Service Set Identifier (SSID) to hijack the image upload.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Eye.fi	Eye-fi Manager

Configuration 1 [-]

cpe:2.3:a:eye.fi:eye-fi_manager:1.1.2:*:*:*:*:*:*:*

References

Link	Resource
http://osvdb.org/42718
http://secunia.com/advisories/29221	Vendor Advisory
http://www.informit.com/articles/article.aspx?p=1177111	Exploit
http://www.securityfocus.com/archive/1/489045/100/0/threaded
http://www.securityfocus.com/bid/28085
https://exchange.xforce.ibmcloud.com/vulnerabilities/40995

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2009-09-01T16:00:00

Updated: 2018-10-11T19:57:01

Reserved: 2009-09-01T00:00:00

Link: CVE-2008-7139

JSON object: View

NVD Information

Status : Modified

Published: 2009-09-01T16:30:00.420

Modified: 2018-10-11T20:58:21.757

Link: CVE-2008-7139

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-02-29T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in WS-Proxy in Eye-Fi 1.1.2 allow remote attackers to hijack the authentication of users for requests that modify configuration via a SOAPAction parameter of (1) urn:SetOptions for autostart, (2) urn:SetDesktopSync for file upload, or (3) urn:SetFolderConfig for file download location or modification of authentication credentials; and (4) urn:AddNetwork for adding an arbitrary Service Set Identifier (SSID) to hijack the image upload."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "28085", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/28085"}, {"name": "20080303 Airscanner Mobile Security Advisory #07122001: Eye-Fi Multiple Vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/489045/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "http://www.informit.com/articles/article.aspx?p=1177111"}, {"name": "29221", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29221"}, {"name": "eyefimanager-wsproxy-csrf(40995)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/40995"}, {"name": "42718", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/42718"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-7139", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in WS-Proxy in Eye-Fi 1.1.2 allow remote attackers to hijack the authentication of users for requests that modify configuration via a SOAPAction parameter of (1) urn:SetOptions for autostart, (2) urn:SetDesktopSync for file upload, or (3) urn:SetFolderConfig for file download location or modification of authentication credentials; and (4) urn:AddNetwork for adding an arbitrary Service Set Identifier (SSID) to hijack the image upload."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "28085", "refsource": "BID", "url": "http://www.securityfocus.com/bid/28085"}, {"name": "20080303 Airscanner Mobile Security Advisory #07122001: Eye-Fi Multiple Vulnerabilities", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/489045/100/0/threaded"}, {"name": "http://www.informit.com/articles/article.aspx?p=1177111", "refsource": "MISC", "url": "http://www.informit.com/articles/article.aspx?p=1177111"}, {"name": "29221", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29221"}, {"name": "eyefimanager-wsproxy-csrf(40995)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/40995"}, {"name": "42718", "refsource": "OSVDB", "url": "http://osvdb.org/42718"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-7139", "datePublished": "2009-09-01T16:00:00", "dateReserved": "2009-09-01T00:00:00", "dateUpdated": "2018-10-11T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eye.fi:eye-fi_manager:1.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "1EAB27E8-AB18-421C-A3EA-01C73FC222BC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in WS-Proxy in Eye-Fi 1.1.2 allow remote attackers to hijack the authentication of users for requests that modify configuration via a SOAPAction parameter of (1) urn:SetOptions for autostart, (2) urn:SetDesktopSync for file upload, or (3) urn:SetFolderConfig for file download location or modification of authentication credentials; and (4) urn:AddNetwork for adding an arbitrary Service Set Identifier (SSID) to hijack the image upload."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados(CSRF)en WS-Proxy en Eye-Fi v1.1.2 permite a atacantes remotos secuestrar las autentificaciones para peticiones de usuarios que modifican la configuraci\u00f3n a trav\u00e9s del par\u00e1metro SOAPAction de (1) urn:SetOptions para autostart, (2) urn:SetDesktopSync para el fichero upload, o (3) urn:SetFolderConfig para fichero de localizaci\u00f3n de descarga y modificaci\u00f3n de credenciales de autentificaci\u00f3n y (4) urn:AddNetwork para a\u00f1adir el Service Set Identifier (SSID)a su elecci\u00f3n para secuestrar la imagen subida."}], "id": "CVE-2008-7139", "lastModified": "2018-10-11T20:58:21.757", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2009-09-01T16:30:00.420", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/42718"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29221"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.informit.com/articles/article.aspx?p=1177111"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/489045/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/28085"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/40995"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}