Airtime Security Advisory: CVE-2014-4915
  • Vote Up0Vote Down Albert SantoniAlbert Santoni
    Posts: 68Member, Sourcefabric Team, Airtime Moderator

    Sourcefabric Security Advisory

    Airtime Vulnerability

    Session cookie weakness could allow unauthorized account access

    Published: July 16th, 2014

    Affected Software: Airtime 1.6.0 - 2.5.1

    CVE number: CVE-2014-4915

    Severity: Medium

    Reporter: Albert Santoni (Sourcefabric, Airtime Team)


    User accounts, as implemented in Airtime 1.6.0 - 2.5.1, allow a remote attacker to spoof a session belonging to a different Airtime installation running on the same web server.


    Airtime accounts on web servers hosting multiple Airtime installations can be spoofed. Web servers hosting single Airtime installations are not affected.



    [1] Airtime - the open source radio automation software

    [2] Airtime 2.5.1 CVE-2014-4915 Session pinning patch

    [3] Airtime 2.5.1a tarball

    Post edited by Albert Santoni at 2014-07-16 11:41:50
    Airtime Developer @ Sourcefabric