CVE-2013-7464 — Cross-Site Request Forgery in Project Csrf-magic

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 60.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Csrf-magic Project Csrf-magic Debian Cacti Debian Zoneminder

Timeline

PublishedAug 8

Latest updateMay 14

Description

In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDcsrf-magic_project/csrf-magic< 1.0.4

▶debiandebian/cacti

▶debiandebian/zoneminder

Patches

Patch: repo.or.cz ↗Patch: repo.or.cz ↗

🔴Vulnerability Details

GHSA

GHSA-w973-rg33-v5p7: In csrf-magic before 1↗2022-05-14

▶

📋Vendor Advisories

Debian

CVE-2013-7464: cacti - In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the...↗2013

▶