Main Vulnerability Database Vulnerabilities #VU7234

Cross-site request forgery in Kaspersky Anti-Virus - CVE-2017-9813

Published: June 29, 2017 / Updated: September 14, 2018

Vulnerability identifier: #VU7234

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2017-9813

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Kaspersky Lab

Affected software:
Kaspersky Anti-Virus

Detailed vulnerability description

The vulnerability allows a remote attacker to perform CSRF attacks.

The vulnerability exists due to improper validation of HTML code from user-supplied input by the Web Management Console. A remote attacker can execute arbitrary scripting code that originate from the site running the Kaspersky Anti-Virus software and will run in the security context of that site and access the target user's cookies (including authentication cookies)

Successful exploitation of the vulnerability may result in cross-site request forgery conducting.

How to mitigate CVE-2017-9813

Update to version 8.0.4.312.

Sources

https://support.kaspersky.com/vulnerability.aspx?el=12430#280617

Cross-site request forgery in Kaspersky Anti-Virus - CVE-2017-9813

Detailed vulnerability description

How to mitigate CVE-2017-9813

Sources

Please verify you're human