Omeka < 2.2.1 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 8330

Synopsis

The remote web server is running a vulnerable version of Omeka content management system.

Description

Versions of Omeka earlier than 2.2.1 are vulnerable to the following issues:

- An HTML-injection vulnerability via the 'api_key_label' parameter, which can be leveraged for cross-site scripting attacks

- Insufficient authentication mechanisms in place for HTTP requests to /admin/users/add, /admin/users/api-keys/1, and /admin/settings/edit-security scripts could allow a context-dependent attacker to perform a cross-site request forgery attack that results in super-user accounts being created and activated.

Solution

Upgrade to Omeka 2.2.1 or later.

See Also

http://omeka.org/blog/2014/07/16/omeka-2-2-1-security-update-released/

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5193.php

http://omeka.org/codex/Release_Notes_for_2.2.1

Plugin Details

Severity: Medium

ID: 8330

Family: Web Servers

Published: 7/18/2014

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.8

Vector: CVSS2#AV:A/AC:M/Au:S/C:P/I:P/A:P

CVSS v3

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 4.2

Vector: CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 7/17/2014

Vulnerability Publication Date: 7/17/2014

Reference Information

BID: 68707