Advisory Information
- Title: Carbon Black Cross-Site Request Forgery (CSRF)
- Advisory ID: SWRX-2014-007
- Date published: Tuesday, April 1, 2014
- CVE: CVE-2014-1615
- CVSS v2 base score: 5.1
- Date of last update: Tuesday, April 1, 2014
- Vendors contacted: Carbon Black
- Release mode: Coordinated
- Discovered by: Dana James Traversie, Dell SecureWorks
Summary
Carbon Black is an endpoint security solution that provides administrative functionality and other features via a dedicated web application. Multiple vulnerabilities in the Carbon Black web application could allow an unauthenticated remote attacker to conduct cross-site request forgery (CSRF) attacks. These vulnerabilities are due to insufficient or missing CSRF protections. An attacker could exploit these vulnerabilities by persuading a user to follow a malicious link or visit an attacker-controlled website.
Dell SecureWorks researchers created a proof of concept video to illustrate the vulnerability, the exploit, and its outcome.
Download the PDF: SWRX-2014-007