Omeka < 2.2.1 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 8330

Synopsis

The remote web server is running a vulnerable version of Omeka content management system.

Description

Versions of Omeka earlier than 2.2.1 are vulnerable to the following issues:

- An HTML-injection vulnerability via the 'api_key_label' parameter, which can be leveraged for cross-site scripting attacks

- Insufficient authentication mechanisms in place for HTTP requests to /admin/users/add, /admin/users/api-keys/1, and /admin/settings/edit-security scripts could allow a context-dependent attacker to perform a cross-site request forgery attack that results in super-user accounts being created and activated.

Solution

Upgrade to Omeka 2.2.1 or later.

See Also

http://omeka.org/blog/2014/07/16/omeka-2-2-1-security-update-released/

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5193.php

http://omeka.org/codex/Release_Notes_for_2.2.1

Plugin Details

Severity: Medium

ID: 8330

Family: Web Servers

Published: 2014/07/18

Modified: 2016/02/05

Dependencies: 8166

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.9

Temporal Score: 3.8

Vector: CVSS2#AV:A/AC:M/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSSv3

Base Score: 4.6

Temporal Score: 4.1

Vector: CVSS3#AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:P/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2014/07/17

Vulnerability Publication Date: 2014/07/17

Reference Information

BID: 68707