Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
vulnrichmentGitHub_MVULNRICHMENT:CVE-2024-39326
HistoryJul 02, 2024 - 8:55 p.m.

CVE-2024-39326 SkillTree CSRF Vulnerability allows an attacker to modify the Video and Captions of a Skill

2024-07-0220:55:01
CWE-352
GitHub_M
github.com
2
skilltree
csrf
vulnerability
video
caption
modification
patch

CVSS3

4.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

AI Score

7.2

Confidence

High

SSVC

Exploitation

poc

Automatable

no

Technical Impact

partial

JSON

SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint
/admin/projects/{projectname}/skills/{skillname}/video (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue.

CNA Affected

[
  {
    "vendor": "NationalSecurityAgency",
    "product": "skills-service",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.12.6"
      }
    ]
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:nsa:skills-service:*:*:*:*:*:*:*:*"
    ],
    "vendor": "nsa",
    "product": "skills-service",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "2.12.6",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

Related

osv 1
cve 1
cvelist 1
nvd 1
osv
osv
CVE-2024-39326
2024-07-02 21:15:11
cve
cve
CVE-2024-39326
2024-07-02 21:15:11
cvelist
cvelist
CVE-2024-39326 SkillTree CSRF Vulnerability allows an attacker to modify the Video and Captions of a Skill
2024-07-02 20:55:01
nvd
nvd
CVE-2024-39326
2024-07-02 21:15:11

CVSS3

4.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

AI Score

7.2

Confidence

High

SSVC

Exploitation

poc

Automatable

no

Technical Impact

partial

JSON
Related for VULNRICHMENT:CVE-2024-39326
osv1cve1cvelist1nvd1