CVE-2024-1232 — Cross-Site Request Forgery in CM Download Manager

CWE-352 — Cross-Site Request Forgery CWE-476 — NULL Pointer Dereference4 documents4 sources

Severity

4.8MEDIUMNVD

EPSS

0.2%

top 52.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cminds CM Download Manager

Timeline

PublishedMar 25

Latest updateNov 5

Description

The CM Download Manager WordPress plugin before 2.9.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete downloads via a CSRF attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages1 packages

▶NVDcminds/cm_download_manager< 2.9.0

🔴Vulnerability Details

CVEList

CM Download Manager < 2.9.0 - Download Deletion via CSRF↗2024-03-25

▶

GHSA

GHSA-37x3-hqf8-5w7p: The CM Download Manager WordPress plugin before 2↗2024-03-25

▶

📋Vendor Advisories

Red Hat

kernel: drm/amd: Guard against bad data for ATIF ACPI method↗2024-11-05

▶