Lucene search

Veracode Vulnerability DatabaseVERACODE:37244

HistorySep 23, 2022 - 4:56 a.m.

Cross-Site Request Forgery (CSRF)

2022-09-2304:56:33

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

3.5 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.0004 Low

EPSS

Percentile

12.0%

JSON

rdiffweb is vulnerable to cross-site request forgery. The vulnerability exists because the render_prefs_panel function in pref_notification.py does not properly handle the password_form and profile_form attributes, allowing an attacker to change the email ID of the user by redirecting to the malicious urls.

CPENameOperatorVersion
rdiffweble2.4.5
rdiffweble2.4.5

CPE	Name	Operator	Version
	rdiffweb	le	2.4.5
	rdiffweb	le	2.4.5

References

github.com/advisories/GHSA-gmj8-84r4-h46j

github.com/ikus060/rdiffweb/commit/e974df75bdbcff3996ad70bd1b4424ec1485ea3f

huntr.dev/bounties/8834c356-4ddb-4be7-898b-d76f480e9c3f

huntr.dev/bounties/8834c356-4ddb-4be7-898b-d76f480e9c3f/

3.5 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.0004 Low

EPSS

Percentile

12.0%

JSON

Related for VERACODE:37244