CVE-2018-19334

CWE-352 — Cross-Site Request Forgery (CSRF)3 documents3 sources

Severity

5.3MEDIUM

EPSS

0.1%

top 71.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Monorail

Timeline

PublishedNov 20

Latest updateMay 14

Description

Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with an unsupported axis) can be used to obtain sensitive information about the content of bug reports.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages1 packages

▶NVDgoogle/monorail< 2018-05-04

Patches

Patch: chromium.googlesource.com ↗Patch: chromium.googlesource.com ↗

🔴Vulnerability Details

GHSA

GHSA-xm3j-wpq5-h526: Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of do↗2022-05-14

▶

CVEList

CVE-2018-19334: Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of do↗2018-11-20

▶