cvelistv5 - cve-2019-13183

CVE-2019-13183 (GCVE-0-2019-13183)

Vulnerability from cvelistv5 – Published: 2019-07-07 14:34 – Updated: 2024-08-04 23:41

Summary

Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/flarum/core/blob/master/CHANGELOG.md	x_refsource_MISC
	https://discuss.flarum.org/d/20606-flarum-0-1-0-b…	x_refsource_CONFIRM
	https://github.com/flarum/core/security/advisorie…	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:41:10.532Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flarum/core/blob/master/CHANGELOG.md"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-07-07T14:34:45",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flarum/core/blob/master/CHANGELOG.md"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-13183",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/flarum/core/blob/master/CHANGELOG.md",
              "refsource": "MISC",
              "url": "https://github.com/flarum/core/blob/master/CHANGELOG.md"
            },
            {
              "name": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released",
              "refsource": "CONFIRM",
              "url": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released"
            },
            {
              "name": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6",
              "refsource": "CONFIRM",
              "url": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-13183",
    "datePublished": "2019-07-07T14:34:45",
    "dateReserved": "2019-07-02T00:00:00",
    "dateUpdated": "2024-08-04T23:41:10.532Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:flarum:flarum:0.1.0:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"D9EF6C49-5066-4252-8356-6109F26CD021\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:flarum:flarum:0.1.0:beta2:*:*:*:*:*:*\", \"matchCriteriaId\": \"29211245-B5E7-4D83-BE77-573D8DF19079\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:flarum:flarum:0.1.0:beta3:*:*:*:*:*:*\", \"matchCriteriaId\": \"5122F0A6-28F6-4DF5-89E2-850C67729C59\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:flarum:flarum:0.1.0:beta4:*:*:*:*:*:*\", \"matchCriteriaId\": \"3D9BAA2E-3888-4B81-BB41-6053CBEE20DF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:flarum:flarum:0.1.0:beta5:*:*:*:*:*:*\", \"matchCriteriaId\": \"637415E5-2EE1-4D2C-BB25-56E59827F060\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:flarum:flarum:0.1.0:beta6:*:*:*:*:*:*\", \"matchCriteriaId\": \"6CB8737B-762D-4ACA-B172-D36F8A93365A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:flarum:flarum:0.1.0:beta7:*:*:*:*:*:*\", \"matchCriteriaId\": \"36954DAE-127A-4259-8BB6-99B8EF347348\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:flarum:flarum:0.1.0:beta7.1:*:*:*:*:*:*\", \"matchCriteriaId\": \"5A5962B6-2742-46C8-AB55-15E5E6997045\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:flarum:flarum:0.1.0:beta7.2:*:*:*:*:*:*\", \"matchCriteriaId\": \"EE5F5C50-C597-4B0A-B048-5F294C1DFE57\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:flarum:flarum:0.1.0:beta8:*:*:*:*:*:*\", \"matchCriteriaId\": \"C1D53036-CD08-4A0D-9245-88666EBD6A1B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:flarum:flarum:0.1.0:beta8.1:*:*:*:*:*:*\", \"matchCriteriaId\": \"95A09CC4-B2CC-4D1D-8811-9E4BE5169677\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:flarum:flarum:0.1.0:beta8.2:*:*:*:*:*:*\", \"matchCriteriaId\": \"A3E94458-6C0B-4E45-BB79-22DB43F80493\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.\"}, {\"lang\": \"es\", \"value\": \"Flarum hasta la versi\\u00f3n 0.1.0-beta.9 permite CSRF contra todos los puntos finales POST, como se demuestra al cambiar la configuraci\\u00f3n de administraci\\u00f3n.\"}]",
      "id": "CVE-2019-13183",
      "lastModified": "2024-11-21T04:24:22.547",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2019-07-07T15:15:10.307",
      "references": "[{\"url\": \"https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released\", \"source\": \"cve@mitre.org\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/flarum/core/blob/master/CHANGELOG.md\", \"source\": \"cve@mitre.org\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/flarum/core/blob/master/CHANGELOG.md\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-13183\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-07-07T15:15:10.307\",\"lastModified\":\"2024-11-21T04:24:22.547\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.\"},{\"lang\":\"es\",\"value\":\"Flarum hasta la versi\u00f3n 0.1.0-beta.9 permite CSRF contra todos los puntos finales POST, como se demuestra al cambiar la configuraci\u00f3n de administraci\u00f3n.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flarum:flarum:0.1.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"D9EF6C49-5066-4252-8356-6109F26CD021\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flarum:flarum:0.1.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"29211245-B5E7-4D83-BE77-573D8DF19079\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flarum:flarum:0.1.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"5122F0A6-28F6-4DF5-89E2-850C67729C59\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flarum:flarum:0.1.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D9BAA2E-3888-4B81-BB41-6053CBEE20DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flarum:flarum:0.1.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"637415E5-2EE1-4D2C-BB25-56E59827F060\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flarum:flarum:0.1.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"6CB8737B-762D-4ACA-B172-D36F8A93365A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flarum:flarum:0.1.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"36954DAE-127A-4259-8BB6-99B8EF347348\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flarum:flarum:0.1.0:beta7.1:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A5962B6-2742-46C8-AB55-15E5E6997045\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flarum:flarum:0.1.0:beta7.2:*:*:*:*:*:*\",\"matchCriteriaId\":\"EE5F5C50-C597-4B0A-B048-5F294C1DFE57\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flarum:flarum:0.1.0:beta8:*:*:*:*:*:*\",\"matchCriteriaId\":\"C1D53036-CD08-4A0D-9245-88666EBD6A1B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flarum:flarum:0.1.0:beta8.1:*:*:*:*:*:*\",\"matchCriteriaId\":\"95A09CC4-B2CC-4D1D-8811-9E4BE5169677\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:flarum:flarum:0.1.0:beta8.2:*:*:*:*:*:*\",\"matchCriteriaId\":\"A3E94458-6C0B-4E45-BB79-22DB43F80493\"}]}]}],\"references\":[{\"url\":\"https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/flarum/core/blob/master/CHANGELOG.md\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/flarum/core/blob/master/CHANGELOG.md\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

CNVD-2019-22227

Vulnerability from cnvd - Published: 2019-07-12

Title

Flarum跨站请求伪造漏洞

Description

Flarum是一套开源的论坛系统。 Flarum 0.1.0-beta.9之前版本中存在跨站请求伪造漏洞，该漏洞源于网络系统或产品未充分验证数据的来源或真实性，攻击者可利用伪造的数据进行攻击。

Severity

中

Patch Name

Flarum跨站请求伪造漏洞的补丁

Patch Description

Flarum是一套开源的论坛系统。 Flarum 0.1.0-beta.9之前版本中存在跨站请求伪造漏洞，该漏洞源于网络系统或产品未充分验证数据的来源或真实性，攻击者可利用伪造的数据进行攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released

Reference

https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6 https://github.com/flarum/core/blob/master/CHANGELOG.md https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released

Impacted products

Name
FlarumChina Flarum <0.1.0-beta.9

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-13183"
    }
  },
  "description": "Flarum\u662f\u4e00\u5957\u5f00\u6e90\u7684\u8bba\u575b\u7cfb\u7edf\u3002\n\nFlarum 0.1.0-beta.9\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u5145\u5206\u9a8c\u8bc1\u6570\u636e\u7684\u6765\u6e90\u6216\u771f\u5b9e\u6027\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u4f2a\u9020\u7684\u6570\u636e\u8fdb\u884c\u653b\u51fb\u3002",
  "discovererName": "CuPcakeN1njA",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-22227",
  "openTime": "2019-07-12",
  "patchDescription": "Flarum\u662f\u4e00\u5957\u5f00\u6e90\u7684\u8bba\u575b\u7cfb\u7edf\u3002\r\n\r\nFlarum 0.1.0-beta.9\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u5145\u5206\u9a8c\u8bc1\u6570\u636e\u7684\u6765\u6e90\u6216\u771f\u5b9e\u6027\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u4f2a\u9020\u7684\u6570\u636e\u8fdb\u884c\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Flarum\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "FlarumChina Flarum \u003c0.1.0-beta.9"
  },
  "referenceLink": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6\r\nhttps://github.com/flarum/core/blob/master/CHANGELOG.md\r\nhttps://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released",
  "serverity": "\u4e2d",
  "submitTime": "2019-07-09",
  "title": "Flarum\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

FKIE_CVE-2019-13183

Vulnerability from fkie_nvd - Published: 2019-07-07 15:15 - Updated: 2024-11-21 04:24

Severity ?

8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.

References

URL	Tags
cve@mitre.org	https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released	Release Notes, Vendor Advisory
cve@mitre.org	https://github.com/flarum/core/blob/master/CHANGELOG.md	Release Notes, Third Party Advisory
cve@mitre.org	https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released	Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/flarum/core/blob/master/CHANGELOG.md	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6	Third Party Advisory

Impacted products

Vendor	Product	Version
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "D9EF6C49-5066-4252-8356-6109F26CD021",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "29211245-B5E7-4D83-BE77-573D8DF19079",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "5122F0A6-28F6-4DF5-89E2-850C67729C59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "3D9BAA2E-3888-4B81-BB41-6053CBEE20DF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta5:*:*:*:*:*:*",
              "matchCriteriaId": "637415E5-2EE1-4D2C-BB25-56E59827F060",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta6:*:*:*:*:*:*",
              "matchCriteriaId": "6CB8737B-762D-4ACA-B172-D36F8A93365A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta7:*:*:*:*:*:*",
              "matchCriteriaId": "36954DAE-127A-4259-8BB6-99B8EF347348",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta7.1:*:*:*:*:*:*",
              "matchCriteriaId": "5A5962B6-2742-46C8-AB55-15E5E6997045",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta7.2:*:*:*:*:*:*",
              "matchCriteriaId": "EE5F5C50-C597-4B0A-B048-5F294C1DFE57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta8:*:*:*:*:*:*",
              "matchCriteriaId": "C1D53036-CD08-4A0D-9245-88666EBD6A1B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta8.1:*:*:*:*:*:*",
              "matchCriteriaId": "95A09CC4-B2CC-4D1D-8811-9E4BE5169677",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta8.2:*:*:*:*:*:*",
              "matchCriteriaId": "A3E94458-6C0B-4E45-BB79-22DB43F80493",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings."
    },
    {
      "lang": "es",
      "value": "Flarum hasta la versi\u00f3n 0.1.0-beta.9 permite CSRF contra todos los puntos finales POST, como se demuestra al cambiar la configuraci\u00f3n de administraci\u00f3n."
    }
  ],
  "id": "CVE-2019-13183",
  "lastModified": "2024-11-21T04:24:22.547",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-07-07T15:15:10.307",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/flarum/core/blob/master/CHANGELOG.md"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/flarum/core/blob/master/CHANGELOG.md"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2019-13183

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.

Aliases

CVE-2019-13183

Aliases

CVE-2019-13183

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-13183",
    "description": "Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.",
    "id": "GSD-2019-13183"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-13183"
      ],
      "details": "Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.",
      "id": "GSD-2019-13183",
      "modified": "2023-12-13T01:23:41.098153Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2019-13183",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/flarum/core/blob/master/CHANGELOG.md",
            "refsource": "MISC",
            "url": "https://github.com/flarum/core/blob/master/CHANGELOG.md"
          },
          {
            "name": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released",
            "refsource": "CONFIRM",
            "url": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released"
          },
          {
            "name": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6",
            "refsource": "CONFIRM",
            "url": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.1.0-beta.9",
          "affected_versions": "All versions before 0.1.0-beta.9",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-352",
            "CWE-937"
          ],
          "date": "2019-07-09",
          "description": "Flarum allows CSRF against all POST endpoints, as demonstrated by changing admin settings.",
          "fixed_versions": [
            "0.1.0-beta.9"
          ],
          "identifier": "CVE-2019-13183",
          "identifiers": [
            "CVE-2019-13183",
            "GHSA-3wjh-93gr-chh6"
          ],
          "not_impacted": "All versions starting from 0.1.0-beta.9",
          "package_slug": "packagist/flarum/flarum",
          "pubdate": "2019-07-07",
          "solution": "Upgrade to version 0.1.0-beta.9 or above.",
          "title": "Cross-Site Request Forgery (CSRF)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-13183",
            "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released"
          ],
          "uuid": "7b6bf21f-86a0-43ca-b102-0619ea74da17"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:flarum:flarum:0.1.0:beta2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:flarum:flarum:0.1.0:beta3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:flarum:flarum:0.1.0:beta4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:flarum:flarum:0.1.0:beta5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:flarum:flarum:0.1.0:beta6:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:flarum:flarum:0.1.0:beta7:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:flarum:flarum:0.1.0:beta7.2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:flarum:flarum:0.1.0:beta8.1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:flarum:flarum:0.1.0:beta8.2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:flarum:flarum:0.1.0:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:flarum:flarum:0.1.0:beta7.1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:flarum:flarum:0.1.0:beta8:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-13183"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released",
              "refsource": "CONFIRM",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released"
            },
            {
              "name": "https://github.com/flarum/core/blob/master/CHANGELOG.md",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/flarum/core/blob/master/CHANGELOG.md"
            },
            {
              "name": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-07-09T16:11Z",
      "publishedDate": "2019-07-07T15:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-13183 (GCVE-0-2019-13183)

CNVD-2019-22227

FKIE_CVE-2019-13183

GSD-2019-13183

Tags

Sightings

Nomenclature