| 제목 | CoreHR Core Portal up to 27.0.7 Cross site request forgery |
|---|
| 설명 | A vulnerability was found in CoreHR Core Portal up to 27.0.6. It has been rated as problematic. Affected by this issue is an unknown code block. The manipulation of the anti-CSRF token with an unknown input permits to bypass the protection and leads to a cross site request forgery vulnerability. Using CWE to declare the problem leads to CWE-352. Impacted is integrity, confidentiality and availability. An attacker might be able to trick an authenticated user to update his/her bank details, associate an arbitrary Linkedin account (and use it to login as the user), and use a few other less critical functions.
The weakness was discovered during Februrary 2019 and published on 12/09/2019 by Alessandro Magnosi. The public release has been coordinated with the vendor. This vulnerability is handled as CVE-2019-19686. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details are unknown but a private exploit is available. The advisory points out:
The affected component is an unspecified item of the Core Portal component. Full details on the vulnerability won't be disclosed to the public.
A private exploit has been developed by Alessandro Magnosi. It is declared as proof-of-concept.
Upgrading to version 27.0.8 eliminates this vulnerability. |
|---|
| 사용자 | Anonymous User |
|---|
| 제출 | 2019. 12. 09. PM 06:43 (6 연령 ago) |
|---|
| 모더레이션 | 2019. 12. 10. AM 09:03 (14 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 146832 [CoreHR Core Portal 까지 27.0.7 교차 사이트 요청 위조] |
|---|
| 포인트들 | 17 |
|---|