• Software Link:
• Affected Versions:
Version 3.1.1 and probably other versions.
• Vulnerability Description:
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change certain configuration settings or create a user with administrative privileges by tricking a logged in administrator into visiting a malicious web site.
No official solution is currently available.
• Disclosure Timeline:
[06/11/2013] – Vendor notified
[06/11/2013] – Vendor response stating “Please immediately cease and desist all such communications”
[05/12/2013] – Public disclosure
• CVE Reference:
Vulnerability discovered by Egidio Romano, Secunia Research.
• Original Advisory: