Detections
Analytics

Omeka < 2.2.1 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 8330

Synopsis

The remote web server is running a vulnerable version of Omeka content management system.

Description

Versions of Omeka earlier than 2.2.1 are vulnerable to the following issues:

 - An HTML-injection vulnerability via the 'api_key_label' parameter, which can be leveraged for cross-site scripting attacks

 - Insufficient authentication mechanisms in place for HTTP requests to /admin/users/add, /admin/users/api-keys/1, and /admin/settings/edit-security scripts could allow a context-dependent attacker to perform a cross-site request forgery attack that results in super-user accounts being created and activated.

Solution

Upgrade to Omeka 2.2.1 or later.

See Also

http://omeka.org/blog/2014/07/16/omeka-2-2-1-security-update-released/

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5193.php

http://omeka.org/codex/Release_Notes_for_2.2.1

Plugin Details

Severity: Medium

ID: 8330

Family: Web Servers

Published: 7/18/2014

Updated: 3/6/2019

Vulnerability Information

Patch Publication Date: 7/17/2014

Vulnerability Publication Date: 7/17/2014

Reference Information

BID: 68707