CVE-2019-15062

Exploit

EPSS 0.13%
Published 14.08.2019 23:15:10
Last modified 21.11.2024 04:27:58
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Dolibarr ≫ Dolibarr Erp/crm Version11.0.0 Updatealpha

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.13%	0.29

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8	2.1	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6	6.8	6.4	AV:N/AC:M/Au:S/C:P/I:P/A:P

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://gauravnarwani.com/publications/CVE-2019-15062/

Third Party Advisory

Exploit

https://github.com/Dolibarr/dolibarr/issues/11671

Patch

Third Party Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2019-15062

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-15062

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-15062

EUVD