• Software Link:
• Affected Versions:
Version 3.1.1 and probably other versions.
• Vulnerability Description:
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change certain configuration settings or create a user with administrative privileges by tricking a logged in administrator into visiting a malicious web site.
No official solution is currently available.
• Disclosure Timeline:
[06/11/2013] – Vendor notified
[06/11/2013] – Vendor response stating “Please immediately cease and desist all such communications”
[05/12/2013] – Public disclosure
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-5355 to this vulnerability.
Vulnerability discovered by Egidio Romano, Secunia Research.
• Original Advisory: