Allegro RomPager 4.01 HTTP POST Request usertable.htm?action=delete username cross-site request forgery
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
5.7 | $0-$5k | 0.05 |
A vulnerability was found in Allegro RomPager 4.01. It has been classified as problematic. Affected is an unknown functionality of the file usertable.htm?action=delete of the component HTTP POST Request Handler. The manipulation of the argument username
with an unknown input leads to a cross-site request forgery vulnerability. CWE is classifying the issue as CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. This is going to have an impact on integrity.
The weakness was disclosed 01/14/2024. This vulnerability is traded as CVE-2024-0522. Successful exploitation requires user interaction by the victim. There are known technical details, but no exploit is available.
The vendor explains that this is a very old issue that got fixed 20 years ago but without a public disclosure.
Upgrading to version 4.30 eliminates this vulnerability. A possible mitigation has been published even before and not after the disclosure of the vulnerability.
Product
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔒VulDB CVSS-BT Score: 🔒
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.8VulDB Meta Temp Score: 5.7
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔒
VulDB Reliability: 🔍
NVD Base Score: 8.8
NVD Vector: 🔒
CNA Base Score: 4.3
CNA Vector (VulDB): 🔒
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
NVD Base Score: 🔒
Exploiting
Class: Cross-site request forgeryCWE: CWE-352 / CWE-862 / CWE-863
CAPEC: 🔒
ATT&CK: 🔒
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: RomPager 4.30
Timeline
12/13/2003 Countermeasure disclosed01/14/2024 Advisory disclosed
01/14/2024 CVE reserved
01/14/2024 VulDB entry created
02/03/2024 VulDB entry last update
Sources
Status: ConfirmedCVE: CVE-2024-0522 (🔒)
Entry
Created: 01/14/2024 05:20 PMUpdated: 02/03/2024 08:14 AM
Changes: 01/14/2024 05:20 PM (42), 02/03/2024 08:11 AM (2), 02/03/2024 08:14 AM (28)
Complete: 🔍
Submitter: lorenzomoulin
Cache ID: 18:500:40
Submit
Accepted
- Submit #255828: Allegro RomPager 4.01 Cross-site Request Forgery (by lorenzomoulin)
No comments yet. Languages: en.
Please log in to comment.