Lucene search

GitHub Advisory DatabaseGHSA-GJWP-7V3G-99PJ

HistorySep 02, 2021 - 5:09 p.m.

Cross-site Request Forgery (CSRF) in joplin

2021-09-0217:09:05

CWE-352

GitHub Advisory Database

github.com

joplin

csrf

vulnerability

software

missing csrf checks

forms

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

41.1%

JSON

The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms.

Affected configurations

Vulners

Node

joplin_projectjoplinRange<2.3.2

VendorProductVersionCPE
joplin_projectjoplin*cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
joplin_project	joplin	*	cpe:2.3:a:joplin_project:joplin::::::::

References

github.com/advisories/GHSA-gjwp-7v3g-99pj

github.com/laurent22/joplin/commit/19b45de2981c09f6f387498ef96d32b4811eba5e

nvd.nist.gov/vuln/detail/CVE-2021-23431

snyk.io/vuln/SNYK-JS-JOPLIN-1325537

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

41.1%

JSON

Related for GHSA-GJWP-7V3G-99PJ