Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Omeka < 2.2.1 Multiple Vulnerabilities

Medium

Synopsis

The remote web server is running a vulnerable version of Omeka content management system.

Description

Versions of Omeka earlier than 2.2.1 are vulnerable to the following issues:

- An HTML-injection vulnerability via the 'api_key_label' parameter, which can be leveraged for cross-site scripting attacks

- Insufficient authentication mechanisms in place for HTTP requests to /admin/users/add, /admin/users/api-keys/1, and /admin/settings/edit-security scripts could allow a context-dependent attacker to perform a cross-site request forgery attack that results in super-user accounts being created and activated.

Solution

Upgrade to Omeka 2.2.1 or later.