CSRF vulnerability - Continuum doesn't check which form sends credentials
-------------------------------------------------------------------------
Key: MRM-1454
URL: http://jira.codehaus.org/browse/MRM-1454
Project: Archiva
Issue Type: Bug
Components: Users/Security
Reporter: Maria Odea Ching
Assignee: Maria Odea Ching
Priority: Critical
Fix For: 1.3.2
As reported by Anatolia Security Research Group, Apache Archiva doesn't check
which form sends credentials. An attacker can create a specially crafted page
and force archiva administrators to view it and change their credentials.
Vulnerability reference key: [CVE-2010-3449] Apache Archiva CSRF Vulnerability
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
