Vulnerability Name: | CVE-2013-7464 (CCN-148205) | ||||||||||||||||||||||||||||||||
Assigned: | 2013-07-17 | ||||||||||||||||||||||||||||||||
Published: | 2013-07-17 | ||||||||||||||||||||||||||||||||
Updated: | 2018-10-09 | ||||||||||||||||||||||||||||||||
Summary: | In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used. | ||||||||||||||||||||||||||||||||
CVSS v3 Severity: | 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) 7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||
CVSS v2 Severity: | 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
| ||||||||||||||||||||||||||||||||
Vulnerability Type: | CWE-352 | ||||||||||||||||||||||||||||||||
Vulnerability Consequences: | Gain Access | ||||||||||||||||||||||||||||||||
References: | Source: CCN Type: csrf-magic Web site csrf-magic: Wizard CSRF Protection for PHP Source: CCN Type: csrf-magic Web page csrf-magic 1.0.4 released Source: MISC Type: Release Notes, Vendor Advisory http://csrf.htmlpurifier.org/news/2013/0717-1.0.4-released Source: MITRE Type: CNA CVE-2013-7464 Source: MISC Type: Release Notes, Third Party Advisory http://repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txt Source: MISC Type: Patch, Third Party Advisory http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11 Source: XF Type: UNKNOWN csrfmagic-cve20137464-csrf(148205) | ||||||||||||||||||||||||||||||||
Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||
Oval Definitions | |||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
BACK |