CVE-2007-5109

Flatnuke - CSRF

Title source: rule

Description

Cross-site request forgery (CSRF) vulnerability in index.php in FlatNuke 2.6, and possibly 3, allows remote attackers to change the password and privilege level of arbitrary accounts via the user parameter and modified (1) regpass and (2) level parameters in a none_Login action, as demonstrated by using a Flash object to automatically make the request.

References (5)

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/36763

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/480468/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/25817

[Third Party Advisory] http://secunia.com/advisories/26957

[Third Party Advisory] http://securityreason.com/securityalert/3176

Scores

EPSS 0.0018

EPSS Percentile 39.2%

Classification

CWE

CWE-352

Status draft

Affected Products (1)

flatnuke/flatnuke

Timeline

Published Sep 26, 2007

Tracked Since Feb 18, 2026