CVE-2014-5100
CVE-2014-5100 is a medium-severity vulnerability in Omeka with a CVSS 2.0 base score of 6.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-352.
Key facts
- Severity: Medium (CVSS 2.0 base score 6.8)
- EPSS exploit prediction: 2% (83rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-352
- Affected product: Omeka
- Published:
- Last modified:
Description
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_label parameter to admin/users/api-keys/1, or (3) disable file validation via a request to admin/settings/edit-security.
Frequently asked questions
- What is CVE-2014-5100?
- Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_label parameter to admin/users/api-keys/1, or (3) disable file validation via a request to admin/settings/edit-security.
- How severe is CVE-2014-5100?
- CVE-2014-5100 has a CVSS 2.0 base score of 6.8, rated medium severity.
- Is CVE-2014-5100 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (83rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2014-5100?
- CVE-2014-5100 affects Omeka. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2014-5100?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2014-5100 published?
- CVE-2014-5100 was published on 2014-07-25 and last updated on 2026-06-17.
References
- http://omeka.org/blog/2014/07/16/omeka-2-2-1-security-update-released
- http://omeka.org/codex/Release_Notes_for_2.2.1
- http://packetstormsecurity.com/files/127523/Omeka-2.2-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
- http://www.exploit-db.com/exploits/34100
- http://www.securityfocus.com/bid/68707
- http://www.zeroscience.mk/codes/omeka_csrfxss.txt
- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5193.php
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94689
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94690
Affected products (1)
- cpe:2.3:a:omeka:omeka:*:*:*:*:*:*:*:*
More vulnerabilities in Omeka
- CVE-2021-26799 — Medium (CVSS 6.1): Cross Site Scripting (XSS) vulnerability in admin/files/edit in Omeka Classic <=2.7 allows remote attackers to inject…
- CVE-2018-13423 — Medium (CVSS 6.1): admin/themes/default/items/tag-form.php in Omeka before 2.6.1 allows XSS by adding or editing a tag.
- CVE-2023-3981 — Medium (CVSS 4.9): Server-Side Request Forgery (SSRF) in GitHub repository omeka/omeka-s prior to 4.0.2.
- CVE-2023-3982 — Medium (CVSS 4.8): Cross-site Scripting (XSS) - Stored in GitHub repository omeka/omeka-s prior to 4.0.2.
- CVE-2023-3980 — Medium (CVSS 4.8): Cross-site Scripting (XSS) - Stored in GitHub repository omeka/omeka-s prior to 4.0.2.
Other CWE-352 (Cross-Site Request Forgery (CSRF)) vulnerabilities
- CVE-2025-32642 — Critical (CVSS 10.0): Cross-Site Request Forgery (CSRF) vulnerability in appsbd Vite Coupon vite-coupon allows Remote Code Inclusion.This…
- CVE-2025-23922 — Critical (CVSS 10.0): Cross-Site Request Forgery (CSRF) vulnerability in Harsh iSpring Embedder embed-ispring allows Upload a Web Shell to a…
- CVE-2017-5145 — Critical (CVSS 10.0): An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware…
- CVE-2019-25729 — Critical (CVSS 9.8): PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute…
- CVE-2025-48340 — Critical (CVSS 9.8): Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager user-profile-meta allows…
- CVE-2025-2907 — Critical (CVSS 9.8): The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing…
Browse all CWE-352 (Cross-Site Request Forgery (CSRF)) vulnerabilities →