| Titolo | CoreHR Core Portal up to 27.0.7 Cross site request forgery |
|---|
| Descrizione | A vulnerability was found in CoreHR Core Portal up to 27.0.6. It has been rated as problematic. Affected by this issue is an unknown code block. The manipulation of the anti-CSRF token with an unknown input permits to bypass the protection and leads to a cross site request forgery vulnerability. Using CWE to declare the problem leads to CWE-352. Impacted is integrity, confidentiality and availability. An attacker might be able to trick an authenticated user to update his/her bank details, associate an arbitrary Linkedin account (and use it to login as the user), and use a few other less critical functions.
The weakness was discovered during Februrary 2019 and published on 12/09/2019 by Alessandro Magnosi. The public release has been coordinated with the vendor. This vulnerability is handled as CVE-2019-19686. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details are unknown but a private exploit is available. The advisory points out:
The affected component is an unspecified item of the Core Portal component. Full details on the vulnerability won't be disclosed to the public.
A private exploit has been developed by Alessandro Magnosi. It is declared as proof-of-concept.
Upgrading to version 27.0.8 eliminates this vulnerability. |
|---|
| Utente | Anonymous User |
|---|
| Sottomissione | 09/12/2019 18:43 (7 anni fa) |
|---|
| Moderazione | 10/12/2019 09:03 (14 hours later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 146832 [CoreHR Core Portal fino a 27.0.7 cross site request forgery] |
|---|
| Punti | 17 |
|---|