CVE-2008-7193
PHPKIT 1.6.4 PL1 - Cross-Site Request Forgery via PHPKITSID Parameter
Title source: llmDescription
PHPKIT 1.6.4 PL1 includes the session ID in the URL, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks by reading the PHPKITSID parameter from the HTTP Referer and using it in a request to (1) modify the user profile via upload_files/include.php or (2) create a new administrator via upload_files/pk/include.php.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/40033
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/487249/100/200/threaded
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/50998
Scores
EPSS
0.0057
EPSS Percentile
43.4%
Details
CWE
CWE-352
Status
published
Products (1)
phpkit/phpkit
1.6.4pl1
Published
Sep 09, 2009
Tracked Since
Feb 18, 2026