Omeka < 2.2.1 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 8330


The remote web server is running a vulnerable version of Omeka content management system.


Versions of Omeka earlier than 2.2.1 are vulnerable to the following issues:

- An HTML-injection vulnerability via the 'api_key_label' parameter, which can be leveraged for cross-site scripting attacks

- Insufficient authentication mechanisms in place for HTTP requests to /admin/users/add, /admin/users/api-keys/1, and /admin/settings/edit-security scripts could allow a context-dependent attacker to perform a cross-site request forgery attack that results in super-user accounts being created and activated.


Upgrade to Omeka 2.2.1 or later.

See Also

Plugin Details

Severity: Medium

ID: 8330

Family: Web Servers

Published: 2014/07/18

Modified: 2016/02/05

Dependencies: 8166

Risk Information

Risk Factor: Medium


Base Score: 4.9

Temporal Score: 3.8

Vector: CVSS2#AV:A/AC:M/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C


Base Score: 4.6

Temporal Score: 4.1


Temporal Vector: CVSS3#E:P/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2014/07/17

Vulnerability Publication Date: 2014/07/17

Reference Information

BID: 68707