Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jNHd4LTN4NXEtaGY0d84AAktI
Subrion CMS Cross-Site Request Forgery (CSRF) vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a panel/uploads/read.json?cmd=rm URL (removing this token) and send it to the victim.
Permalink: https://github.com/advisories/GHSA-c4wx-3x5q-hf4wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNHd4LTN4NXEtaGY0d84AAktI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 23 days ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Identifiers: GHSA-c4wx-3x5q-hf4w, CVE-2019-20390
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-20390
- http://packetstormsecurity.com/files/157700/Subrion-CMS-4.2.1-Cross-Site-Request-Forgery.html
- https://github.com/advisories/GHSA-c4wx-3x5q-hf4w
Affected Packages
packagist:intelliants/subrion
Dependent packages: 0Dependent repositories: 4
Downloads: 129 total
Affected Version Ranges: = 4.2.1
No known fixed version
All affected versions: 4.2.1