vendor:
Xnova Legacies
by:
@xploitaday
7.5
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: Xnova Legacies
Affected Version From: 2009.2
Affected Version To: 2009.2
Patch Exists: NO
Related CWE: N/A
CPE: a:xnova-ng:xnova_legacies:2009.2
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2011
Xnova Legacies 2009.2 CSRF
If a moderator visits a malicious link, they can grant themselves admin privileges, allowing them to control the game. The attack URL is http://SERVER/admin/paneladmina.php?result=usr_level&player=PLAYER&authlvl=3, where SERVER and PLAYER are replaced with the appropriate values.
Mitigation:
Ensure that all user input is validated and sanitized before being used in any query or command. Implement CSRF protection tokens to verify that requests are coming from the same origin.