8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
59.3%
In csrf-magic before 1.0.4, if $GLOBALS[βcsrfβ][βsecretβ] is not
configured, the Anti-CSRF Token used is predictable and would permit an
attacker to bypass the CSRF protections, because an automatically generated
secret is not used.
Author | Note |
---|---|
pfsmorigo | CVE-2014-2327 overwrites the affected code and fixes it. Trusty has this CVE included and it was backported upstream at version 0.8.8c. |
csrf.htmlpurifier.org/news/2013/0717-1.0.4-released
repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txt
repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11
launchpad.net/bugs/cve/CVE-2013-7464
nvd.nist.gov/vuln/detail/CVE-2013-7464
security-tracker.debian.org/tracker/CVE-2013-7464
www.cve.org/CVERecord?id=CVE-2013-7464
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
59.3%