Cross-site request forgery (CSRF) vulnerability in adduser.do in Symantec LiveUpdate Administrator (LUA) before 2.3 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts, and possibly have unspecified other impact, via the userRole parameter.
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
| Link | Tags |
|---|---|
| http://secunia.com/advisories/43820 | third party advisory vendor advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/66213 | vdb entry |
| http://www.osvdb.org/71261 | vdb entry |
| http://sotiriu.de/adv/NSOADV-2011-001.txt | exploit |
| http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110321_00 | |
| http://www.exploit-db.com/exploits/17026 | exploit |
| http://securityreason.com/securityalert/8160 | third party advisory |
| http://www.vupen.com/english/advisories/2011/0727 | vdb entry vendor advisory |
| http://securitytracker.com/id?1025242 | vdb entry exploit |
| http://www.securityfocus.com/archive/1/517109/100/0/threaded | mailing list |