× Warning! This forum is in archival status. New contributions may not work.
Airtime Security Advisory: CVE-2014-4915
  • Vote Up0Vote Down Albert SantoniAlbert Santoni
    Posts: 68Member, Sourcefabric Team, Airtime Moderator

    Sourcefabric Security Advisory

    Airtime Vulnerability

    Session cookie weakness could allow unauthorized account access


    Published: July 16th, 2014

    Affected Software: Airtime 1.6.0 - 2.5.1

    CVE number: CVE-2014-4915

    Severity: Medium

    Reporter: Albert Santoni (Sourcefabric, Airtime Team)


    Overview:

    User accounts, as implemented in Airtime 1.6.0 - 2.5.1, allow a remote attacker to spoof a session belonging to a different Airtime installation running on the same web server.


    Impact:

    Airtime accounts on web servers hosting multiple Airtime installations can be spoofed. Web servers hosting single Airtime installations are not affected.


    Solutions:



    References:


    [1] Airtime - the open source radio automation software

    [2] Airtime 2.5.1 CVE-2014-4915 Session pinning patch

    [3] Airtime 2.5.1a tarball







    Post edited by Albert Santoni at 2014-07-16 11:41:50
    Airtime Developer @ Sourcefabric