8.8
CVE-2017-7178
- EPSS 4.02%
- Veröffentlicht 18.03.2017 20:59:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
- CVE-Watchlists
- Unerledigt
CSRF was discovered in the web UI in Deluge before 1.3.14. The exploitation methodology involves (1) hosting a crafted plugin that executes an arbitrary program from its __init__.py file and (2) causing the victim to download, install, and enable this plugin.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Deluge-torrent ≫ Deluge Version < 1.3.14
Debian ≫ Debian Linux Version8.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 4.02% | 0.894 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.14
http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583
http://git.deluge-torrent.org/deluge/commit/?h=develop&id=11e8957deaf0c76fdfbac62d99c8b6c61cfdddf9
http://seclists.org/fulldisclosure/2017/Mar/6
http://www.debian.org/security/2017/dsa-3856
http://www.securityfocus.com/bid/97041
https://bugs.debian.org/857903
https://security.gentoo.org/glsa/201703-06