Lucene search

Veracode Vulnerability DatabaseVERACODE:46002

HistoryMar 26, 2024 - 3:47 a.m.

Cross-Site Request Forgery (CSRF)

2024-03-2603:47:06

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

csrf

cross-site request forgery

github

owncast

vulnerable

cors policy

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

AI Score

6.7

Confidence

Low

EPSS

0.001

Percentile

27.8%

JSON

github.com/owncast/owncast is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability is due to allowing cross-origin requests using function RequireAdminAuth in the auth.go file, This flows enabling attackers to access privileged information such as the admin password by exploiting the lenient CORS policy.

References

github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32

github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624

securitylab.github.com/advisories/GHSL-2023-261_Owncast/

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

AI Score

6.7

Confidence

Low

EPSS

0.001

Percentile

27.8%

JSON

Related for VERACODE:46002