http://bugzilla.suse.com/show_bug.cgi?id=937786 Bug ID: 937786 Summary: CVE-2015-5395: lack of CSRF protection in sogo Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other URL: https://smash.suse.de/issue/118568/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: c.schweingruber@catatec.ch Reporter: astieger@suse.com QA Contact: opensuse-communityscreening@forge.provo.novell.com CC: chris@computersalat.de Found By: Security Response Team Blocker: --- Courtesy bug from the SUSE Security team: http://www.sogo.nu/bugs/view.php?id=3246 0003246: No CSRF token - requests can be forged No CSRF token is used when creating events in calendar, adding contacts, ... An attacker can therefore prepare a website that triggers POST requests for a victim to preform actions under his/her account. only the username of the victim needs to be known. - create a new contact - intercept and save the request - replace your username with the username of the victim in the request - create a webpage that sends the POST request automatically - lure the victim into visiting your webpage - if the victim is still logged in the action will be performed (ie. send him/her an email with a link to your site) Dear maintainers, no upstream release is available. Reference this bug and CVE when you commit a patch or submit a fixed release. References: http://www.sogo.nu/bugs/view.php?id=3246 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5395 http://seclists.org/oss-sec/2015/q3/86 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5395 -- You are receiving this mail because: You are on the CC list for the bug.