CVE-2013-5726

Tweetbot 1.3.3 for Mac, and 2.8.5 for iPad and iPhone, does not require confirmation of (1) follow or (2) favorite actions, which allows remote attackers to automatically force the user to perform undesired actions, as demonstrated via the tweetbot:///follow/ URL.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://blog.binaryfactory.ca/2013/11/cve-2013-5726-tweetbot-for-ios-and-mac-user-disclosureprivacy-issue/	Exploit
http://osvdb.org/99256
http://seclists.org/fulldisclosure/2013/Nov/9	Exploit
http://blog.binaryfactory.ca/2013/11/cve-2013-5726-tweetbot-for-ios-and-mac-user-disclosureprivacy-issue/	Exploit
http://osvdb.org/99256
http://seclists.org/fulldisclosure/2013/Nov/9	Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:tapbots:tweetbot:1.3.3:-::::mac::*
	cpe:2.3:a:tapbots:tweetbot:2.8.5:-::::ipad::*
	cpe:2.3:a:tapbots:tweetbot:2.8.5:-::::iphone::*

History

21 Nov 2024, 01:58

Type	Values Removed	Values Added
References	~~() http://blog.binaryfactory.ca/2013/11/cve-2013-5726-tweetbot-for-ios-and-mac-user-disclosureprivacy-issue/ - Exploit~~	() http://blog.binaryfactory.ca/2013/11/cve-2013-5726-tweetbot-for-ios-and-mac-user-disclosureprivacy-issue/ - Exploit
References	~~() http://osvdb.org/99256 -~~	() http://osvdb.org/99256 -
References	~~() http://seclists.org/fulldisclosure/2013/Nov/9 - Exploit~~	() http://seclists.org/fulldisclosure/2013/Nov/9 - Exploit

Information

Published : 2013-11-12 20:55

Updated : 2025-04-11 00:51

NVD link : CVE-2013-5726

Mitre link : CVE-2013-5726

CVE.ORG link : CVE-2013-5726

JSON object : View

Products Affected

tapbots

tweetbot

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2013-5726", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2013-11-12T20:55:04.483", "references": [{"url": "http://blog.binaryfactory.ca/2013/11/cve-2013-5726-tweetbot-for-ios-and-mac-user-disclosureprivacy-issue/", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://osvdb.org/99256", "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2013/Nov/9", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://blog.binaryfactory.ca/2013/11/cve-2013-5726-tweetbot-for-ios-and-mac-user-disclosureprivacy-issue/", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://osvdb.org/99256", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://seclists.org/fulldisclosure/2013/Nov/9", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Tweetbot 1.3.3 for Mac, and 2.8.5 for iPad and iPhone, does not require confirmation of (1) follow or (2) favorite actions, which allows remote attackers to automatically force the user to perform undesired actions, as demonstrated via the tweetbot:///follow/ URL."}, {"lang": "es", "value": "Tweetbot 1.3.3 para Mac, y 2.8.5 para iPad y iPhone, no requiere confirmaci\u00f3n de (1) seguimiento o (2) acciones favoritas, lo que permite a atacantes remotos forzar autom\u00e1ticamente al usuario para realizar acciones no deseadas, tal y como se demostr\u00f3 a trav\u00e9s de la URL tweetbot:///follow/."}], "lastModified": "2025-04-11T00:51:21.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tapbots:tweetbot:1.3.3:-:*:*:*:mac:*:*", "vulnerable": true, "matchCriteriaId": "C3E6D204-A72F-41B7-B091-AE4A0BD871AB"}, {"criteria": "cpe:2.3:a:tapbots:tweetbot:2.8.5:-:*:*:*:ipad:*:*", "vulnerable": true, "matchCriteriaId": "4EEEC4B9-1D7F-435B-920D-24AF39C758EE"}, {"criteria": "cpe:2.3:a:tapbots:tweetbot:2.8.5:-:*:*:*:iphone:*:*", "vulnerable": true, "matchCriteriaId": "2C66EF3D-9C61-4941-9944-0FB6D9A0CFD1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

6.8 /10