CVE-2013-7137
critical
CVSS v3
9.8
CVSS v2
7.5
VIR risk
9.8
Description
The "remember me" functionality in login.php in Burden before 1.8.1 allows remote attackers to bypass authentication and gain privileges by setting the burden_user_rememberme cookie to 1.
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://github.com/joshf/Burden/releases/tag/1.8.1
Vendor advisory: cve@mitre.org — https://github.com/joshf/Burden/issues/2
Vendor advisory: cve@mitre.org — https://github.com/joshf/Burden/commit/edaa1bb8f73d6f3c8b2e78b67f1b40e02fccd0c1
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| burden_project | burden | {"endExcluding":"1.8.1"} | 1.8.1 |
References
- http://www.exploit-db.com/exploits/30916
- http://www.securityfocus.com/archive/1/530703/100/0/threaded
- https://github.com/joshf/Burden/commit/edaa1bb8f73d6f3c8b2e78b67f1b40e02fccd0c1
- https://github.com/joshf/Burden/issues/2
- https://github.com/joshf/Burden/releases/tag/1.8.1
- https://www.htbridge.com/advisory/HTB23192
- http://www.exploit-db.com/exploits/30916
- http://www.securityfocus.com/archive/1/530703/100/0/threaded
- https://github.com/joshf/Burden/commit/edaa1bb8f73d6f3c8b2e78b67f1b40e02fccd0c1
- https://github.com/joshf/Burden/issues/2
- https://github.com/joshf/Burden/releases/tag/1.8.1
- https://www.htbridge.com/advisory/HTB23192
CWEs
CWE-287
Verify integrity in audit chain (admin only). AS-IS.