CVE-2019-10253 - OpenCVE

A Cross-Site Request Forgery (CSRF) vulnerability exists in TeamMate+ 21.0.0.0 that allows a remote attacker to modify application data (upload malicious/forged files on a TeamMate server, or replace existing uploaded files with malicious/forged files). The specific flaw exists within the handling of Upload/DomainObjectDocumentUpload.ashx requests because of failure to validate a CSRF token before handling a POST request.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Teammatesolutions	Teammate\+

Configuration 1 [-]

cpe:2.3:a:teammatesolutions:teammate\+:21.0.0.0:*:*:*:*:*:*:*

References

Link	Resource
http://packetstormsecurity.com/files/154294/Wolters-Kluwer-TeamMate-3.1-Cross-Site-Request-Forgery.html	Exploit Third Party Advisory VDB Entry
http://www.teammatesolutions.com/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-09-09T20:51:39

Updated: 2019-09-09T20:51:39

Reserved: 2019-03-28T00:00:00

Link: CVE-2019-10253

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-09-09T21:15:10.717

Modified: 2019-09-10T22:56:33.487

Link: CVE-2019-10253

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in TeamMate+ 21.0.0.0 that allows a remote attacker to modify application data (upload malicious/forged files on a TeamMate server, or replace existing uploaded files with malicious/forged files). The specific flaw exists within the handling of Upload/DomainObjectDocumentUpload.ashx requests because of failure to validate a CSRF token before handling a POST request."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-09T20:51:39", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.teammatesolutions.com/"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/154294/Wolters-Kluwer-TeamMate-3.1-Cross-Site-Request-Forgery.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-10253", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in TeamMate+ 21.0.0.0 that allows a remote attacker to modify application data (upload malicious/forged files on a TeamMate server, or replace existing uploaded files with malicious/forged files). The specific flaw exists within the handling of Upload/DomainObjectDocumentUpload.ashx requests because of failure to validate a CSRF token before handling a POST request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.teammatesolutions.com/", "refsource": "MISC", "url": "http://www.teammatesolutions.com/"}, {"name": "http://packetstormsecurity.com/files/154294/Wolters-Kluwer-TeamMate-3.1-Cross-Site-Request-Forgery.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/154294/Wolters-Kluwer-TeamMate-3.1-Cross-Site-Request-Forgery.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-10253", "datePublished": "2019-09-09T20:51:39", "dateReserved": "2019-03-28T00:00:00", "dateUpdated": "2019-09-09T20:51:39", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:teammatesolutions:teammate\\+:21.0.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "3A991403-93AE-4D5A-A036-B391359AA447", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in TeamMate+ 21.0.0.0 that allows a remote attacker to modify application data (upload malicious/forged files on a TeamMate server, or replace existing uploaded files with malicious/forged files). The specific flaw exists within the handling of Upload/DomainObjectDocumentUpload.ashx requests because of failure to validate a CSRF token before handling a POST request."}, {"lang": "es", "value": "Existe una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en TeamMate+ versi\u00f3n 21.0.0.0, que permite a un atacante remoto modificar los datos de la aplicaci\u00f3n (cargar archivos maliciosos/falsificados en un servidor TeamMate o reemplace los archivos cargados existentes con archivos maliciosos/falsificados). El fallo espec\u00edfico se presenta en el manejo de las peticiones del archivo Upload/DomainObjectDocumentUpload.ashx debido al fallo para validar un token CSRF antes de manejar una petici\u00f3n POST."}], "id": "CVE-2019-10253", "lastModified": "2019-09-10T22:56:33.487", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-09T21:15:10.717", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/154294/Wolters-Kluwer-TeamMate-3.1-Cross-Site-Request-Forgery.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.teammatesolutions.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}