VirtualIQ Pro contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions such as create arbitrary users with administrative rights . By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

Upgrade to version 3.5 build 10.14.2009 or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the 2009-10-14 release without a change in version number. An upgrade is required as there are no known workarounds.

Unknown or Incomplete

• Exploit Database: 10085
• CVE ID: 2009-4849 (see also: NVD)
• Secunia Advisory ID: 37359
• Related OSVDB ID: 60079 60080 60081 60082 60083
• Other Advisory URL: http://www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txt
• Vendor URL: http://www.toutvirtual.com

Unknown or Incomplete