CVE-2008-7214

Cross-site request forgery (CSRF) vulnerability in administrator/index2.php in MOStlyCE before 2.4, as used in Mambo 4.6.3 and earlier, allows remote attackers to hijack the authentication of administrators for requests that add new administrator accounts via the save task in a com_users action, as demonstrated using a separate XSS vulnerability in mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php.

• CWE-352

• http://archives.neohapsis.com/archives/bugtraq/2008-02/0444.html
• http://forum.mambo-foundation.org/showthread.php?t=10158
• http://osvdb.org/42531Exploit
• http://secunia.com/advisories/28670Vendor Advisory
• http://www.bugreport.ir/index_33.htmExploit
• http://www.securityfocus.com/archive/1/487128/100/200/threaded
• http://www.vupen.com/english/advisories/2008/0325Vendor Advisory
• https://exchange.xforce.ibmcloud.com/vulnerabilities/39985
• http://archives.neohapsis.com/archives/bugtraq/2008-02/0444.html
• http://forum.mambo-foundation.org/showthread.php?t=10158
• http://osvdb.org/42531Exploit
• http://secunia.com/advisories/28670Vendor Advisory
• http://www.bugreport.ir/index_33.htmExploit
• http://www.securityfocus.com/archive/1/487128/100/200/threaded
• http://www.vupen.com/english/advisories/2008/0325Vendor Advisory
• https://exchange.xforce.ibmcloud.com/vulnerabilities/39985

Published

Sep 11, 2009

Last Modified

Jun 16, 2026

Status

Modified