CVE-2008-7193

PHPKIT 1.6.4 PL1 - Cross-Site Request Forgery via PHPKITSID Parameter

Title source: llm
STIX 2.1

Description

PHPKIT 1.6.4 PL1 includes the session ID in the URL, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks by reading the PHPKITSID parameter from the HTTP Referer and using it in a request to (1) modify the user profile via upload_files/include.php or (2) create a new administrator via upload_files/pk/include.php.

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/40033
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/487249/100/200/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/50998

Scores

EPSS 0.0057
EPSS Percentile 43.4%

Details

CWE
CWE-352
Status published
Products (1)
phpkit/phpkit 1.6.4pl1
Published Sep 09, 2009
Tracked Since Feb 18, 2026