Open Web Analytics up to 1.5.5 CSRF Protection owa_user_id cross-site request forgery

A vulnerability, which was classified as critical, has been found in Open Web Analytics up to 1.5.5. Affected by this issue is some unknown functionality of the component CSRF Protection. Upgrading to version 1.5.6 eliminates this vulnerability. A possible mitigation has been published before and not just after the disclosure of the vulnerability.

Field03/21/2018 07:34 AM01/15/2020 07:52 AM02/05/2021 02:16 PM
nameOpen Web AnalyticsOpen Web AnalyticsOpen Web Analytics
version<=1.5.5<=1.5.5<=1.5.5
componentCSRF ProtectionCSRF ProtectionCSRF Protection
argumentowa_user_idowa_user_idowa_user_id
input_typeUser NameUser NameUser Name
cwe352 (cross-site request forgery)352 (cross-site request forgery)352 (cross-site request forgery)
risk111
cvss2_vuldb_basescore5.85.85.8
cvss2_vuldb_tempscore5.05.05.0
cvss2_vuldb_avNNN
cvss2_vuldb_acMMM
cvss2_vuldb_auNNN
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiNNN
cvss2_nvd_avNNN
cvss2_nvd_acMMM
cvss2_nvd_auNNN
cvss2_nvd_ciPPP
cvss2_nvd_iiPPP
cvss2_nvd_aiPPP
cvss3_meta_basescore7.67.67.6
cvss3_meta_tempscore7.37.37.3
cvss3_vuldb_basescore6.56.56.5
cvss3_vuldb_tempscore6.26.26.2
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiNNN
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aNNN
cvss3_nvd_avNNN
cvss3_nvd_acLLL
cvss3_nvd_prNNN
cvss3_nvd_uiRRR
cvss3_nvd_sUUU
cvss3_nvd_cHHH
cvss3_nvd_iHHH
cvss3_nvd_aHHH
date1521504000 (03/20/2018)1521504000 (03/20/2018)1521504000 (03/20/2018)
urlhttp://www.openwebanalytics.com/?p=384http://www.openwebanalytics.com/?p=384http://www.openwebanalytics.com/?p=384
person_nameDana James TraversieDana James TraversieDana James Traversie
company_nameDell SecureWorksDell SecureWorksDell SecureWorks
price_0day$0-$5k$0-$5k$0-$5k
nameUpgradeUpgradeUpgrade
date1391212800 (02/01/2014)1391212800 (02/01/2014)1391212800 (02/01/2014)
upgrade_version1.5.61.5.61.5.6
cveCVE-2014-1457CVE-2014-1457CVE-2014-1457
cve_assigned1389657600 (01/14/2014)1389657600 (01/14/2014)1389657600 (01/14/2014)
cve_nvd_published152150400015215040001521504000
cve_nvd_summaryOpen Web Analytics (OWA) before 1.5.6 improperly generates random nonce values, which makes it easier for remote attackers to bypass a CSRF protection mechanism by leveraging knowledge of an OWA user name.Open Web Analytics (OWA) before 1.5.6 improperly generates random nonce values, which makes it easier for remote attackers to bypass a CSRF protection mechanism by leveraging knowledge of an OWA user name.Open Web Analytics (OWA) before 1.5.6 improperly generates random nonce values, which makes it easier for remote attackers to bypass a CSRF protection mechanism by leveraging knowledge of an OWA user name.
securityfocus655736557365573
securityfocus_date1392249600 (02/13/2014)1392249600 (02/13/2014)1392249600 (02/13/2014)
securityfocus_classInput Validation ErrorInput Validation ErrorInput Validation Error
securityfocus_titleOpen Web Analytics CVE-2014-1457 Cross Site Request Forgery VulnerabilityOpen Web Analytics CVE-2014-1457 Cross Site Request Forgery VulnerabilityOpen Web Analytics CVE-2014-1457 Cross Site Request Forgery Vulnerability
nessus_id741897418974189
nessus_nameOpen Web Analytics < 1.5.6 Multiple VulnerabilitiesOpen Web Analytics < 1.5.6 Multiple VulnerabilitiesOpen Web Analytics < 1.5.6 Multiple Vulnerabilities
nessus_filenameopen_web_analytics_1_5_6.naslopen_web_analytics_1_5_6.naslopen_web_analytics_1_5_6.nasl
nessus_riskMediumMediumMedium
nessus_familyCGI abusesCGI abusesCGI abuses
nessus_typeremoteremoteremote
nessus_date1401148800 (05/27/2014)1401148800 (05/27/2014)1401148800 (05/27/2014)
seealso664796647966479
locationWebsiteWebsiteWebsite
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_rcNDNDND
cvss3_vuldb_eXXX
cvss3_vuldb_rlOOO
cvss3_vuldb_rcXXX
cvss3_nvd_basescore8.88.88.8
discoverydate13922496001392249600
confirm_urlhttp://www.openwebanalytics.com/?p=384http://www.openwebanalytics.com/?p=384
osvdb103318103318
osvdb_titleCVE-2014-1457 - Openwebanalytics - Open Web Analytics - MediumCVE-2014-1457 - Openwebanalytics - Open Web Analytics - Medium
xforce91125
cvss2_nvd_basescore6.8

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!