CVE-2007-6640 - Permissions, Privileges, and Access Control vulnerability in Sourceforge Creammonkey and Greasekit

Publication

2008-01-04

Last modification

2017-08-08

Summary

Creammonkey 0.9 through 1.1 and GreaseKit 1.2 through 1.3 does not properly prevent access to dangerous functions, which allows remote attackers to read the configuration, modify the configuration, or send an HTTP request via the (1) GM_addStyle, (2) GM_log, (3) GM_openInTab, (4) GM_setValue, (5) GM_getValue, or (6) GM_xmlhttpRequest function within a web page on which a userscript is configured.

Classification

CWE-264 - Permissions, Privileges, and Access Control

Risk level (CVSS AV:N/AC:L/Au:N/C:P/I:P/A:N)

Medium

6.4

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Sourceforge Creammonkey  0.9 , 1.1 , 1.0
Sourceforge Greasekit  1.2 , 1.3