CVE-2024-9847

Exploit

EPSS 0.09%
Veröffentlicht 20.03.2025 10:09:19
Zuletzt bearbeitet 24.06.2025 14:38:04
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress CMS server to perform the desired action on behalf of the victim user. Since the request is authenticated, the server will process it as if it were initiated by the legitimate user, effectively allowing the attacker to perform unauthorized actions. This vulnerability is fixed in version 1.4.dev.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Flatpress ≫ Flatpress Version < 1.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.249

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	8	1.3	6	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://huntr.com/bounties/b30ef7b0-74ea-4cac-adc4-1cc8a5cb559e

Third Party Advisory

Exploit

https://github.com/flatpressblog/flatpress/commit/a81c968f51f134b5e5f9bbe208aa12f4fbc329df

Patch

https://nvd.nist.gov/vuln/detail/CVE-2024-9847

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-9847

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-9847

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-9847