CVE-2019-15062

Exploit

EPSS 0.13%
Veröffentlicht 14.08.2019 23:15:10
Zuletzt bearbeitet 21.11.2024 04:27:58
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dolibarr ≫ Dolibarr Erp/crm Version11.0.0 Updatealpha

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.29

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8	2.1	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6	6.8	6.4	AV:N/AC:M/Au:S/C:P/I:P/A:P

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://gauravnarwani.com/publications/CVE-2019-15062/

Third Party Advisory

Exploit

https://github.com/Dolibarr/dolibarr/issues/11671

Patch

Third Party Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2019-15062

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-15062

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-15062

EUVD