Title | CoreHR Core Portal up to 27.0.7 Cross site request forgery |
---|
Description | A vulnerability was found in CoreHR Core Portal up to 27.0.6. It has been rated as problematic. Affected by this issue is an unknown code block. The manipulation of the anti-CSRF token with an unknown input permits to bypass the protection and leads to a cross site request forgery vulnerability. Using CWE to declare the problem leads to CWE-352. Impacted is integrity, confidentiality and availability. An attacker might be able to trick an authenticated user to update his/her bank details, associate an arbitrary Linkedin account (and use it to login as the user), and use a few other less critical functions.
The weakness was discovered during Februrary 2019 and published on 12/09/2019 by Alessandro Magnosi. The public release has been coordinated with the vendor. This vulnerability is handled as CVE-2019-19686. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details are unknown but a private exploit is available. The advisory points out:
The affected component is an unspecified item of the Core Portal component. Full details on the vulnerability won't be disclosed to the public.
A private exploit has been developed by Alessandro Magnosi. It is declared as proof-of-concept.
Upgrading to version 27.0.8 eliminates this vulnerability. |
---|
Submission | 09.12.2019 18:43 (4 years ago) |
---|
Moderation | 10.12.2019 09:03 (14 hours later) |
---|
Status | принято |
---|
VulDB Entry | 146832 |
---|