Cross Site Request Forgery (CSRF)

Affecting flarum/core package, versions <0.1.0-beta.9

Do your applications use this vulnerable package? Test your applications

Overview

flarum/core is a simple discussion platform for your website.

Affected versions of this package are vulnerable to Cross Site Request Forgery (CSRF). The package allows CSRF against all POST endpoints by changing admin settings.

Remediation

Upgrade flarum/core to version 0.1.0-beta.9 or higher.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N
Credit
CuPcakeN1njA
CVE
CVE-2019-13183
CWE
CWE-352
Snyk ID
SNYK-PHP-FLARUMCORE-451555
Disclosed
05 Jul, 2019
Published
08 Jul, 2019