Submit #135: CoreHR Core Portal up to 27.0.7 Cross site request forgery
Title | CoreHR Core Portal up to 27.0.7 Cross site request forgery |
---|---|
Description | A vulnerability was found in CoreHR Core Portal up to 27.0.6. It has been rated as problematic. Affected by this issue is an unknown code block. The manipulation of the anti-CSRF token with an unknown input permits to bypass the protection and leads to a cross site request forgery vulnerability. Using CWE to declare the problem leads to CWE-352. Impacted is integrity, confidentiality and availability. An attacker might be able to trick an authenticated user to update his/her bank details, associate an arbitrary Linkedin account (and use it to login as the user), and use a few other less critical functions. The weakness was discovered during Februrary 2019 and published on 12/09/2019 by Alessandro Magnosi. The public release has been coordinated with the vendor. This vulnerability is handled as CVE-2019-19686. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details are unknown but a private exploit is available. The advisory points out: The affected component is an unspecified item of the Core Portal component. Full details on the vulnerability won't be disclosed to the public. A private exploit has been developed by Alessandro Magnosi. It is declared as proof-of-concept. Upgrading to version 27.0.8 eliminates this vulnerability. |
Submission | 2019年12月09日 18:43 (4 years ago) |
Moderation | 2019年12月10日 09:03 (14 hours later) |
Accepted | 承諾済み |
VulDB Entry | VDB-146832 |