fkie_nvd - fkie_cve-2019-13183

FKIE_CVE-2019-13183

Vulnerability from fkie_nvd - Published: 2019-07-07 15:15 - Updated: 2024-11-21 04:24

Severity ?

8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.

References

URL	Tags
cve@mitre.org	https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released	Release Notes, Vendor Advisory
cve@mitre.org	https://github.com/flarum/core/blob/master/CHANGELOG.md	Release Notes, Third Party Advisory
cve@mitre.org	https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released	Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/flarum/core/blob/master/CHANGELOG.md	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6	Third Party Advisory

Impacted products

Vendor	Product	Version
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0
flarum	flarum	0.1.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "D9EF6C49-5066-4252-8356-6109F26CD021",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "29211245-B5E7-4D83-BE77-573D8DF19079",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "5122F0A6-28F6-4DF5-89E2-850C67729C59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "3D9BAA2E-3888-4B81-BB41-6053CBEE20DF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta5:*:*:*:*:*:*",
              "matchCriteriaId": "637415E5-2EE1-4D2C-BB25-56E59827F060",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta6:*:*:*:*:*:*",
              "matchCriteriaId": "6CB8737B-762D-4ACA-B172-D36F8A93365A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta7:*:*:*:*:*:*",
              "matchCriteriaId": "36954DAE-127A-4259-8BB6-99B8EF347348",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta7.1:*:*:*:*:*:*",
              "matchCriteriaId": "5A5962B6-2742-46C8-AB55-15E5E6997045",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta7.2:*:*:*:*:*:*",
              "matchCriteriaId": "EE5F5C50-C597-4B0A-B048-5F294C1DFE57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta8:*:*:*:*:*:*",
              "matchCriteriaId": "C1D53036-CD08-4A0D-9245-88666EBD6A1B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta8.1:*:*:*:*:*:*",
              "matchCriteriaId": "95A09CC4-B2CC-4D1D-8811-9E4BE5169677",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:flarum:flarum:0.1.0:beta8.2:*:*:*:*:*:*",
              "matchCriteriaId": "A3E94458-6C0B-4E45-BB79-22DB43F80493",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings."
    },
    {
      "lang": "es",
      "value": "Flarum hasta la versi\u00f3n 0.1.0-beta.9 permite CSRF contra todos los puntos finales POST, como se demuestra al cambiar la configuraci\u00f3n de administraci\u00f3n."
    }
  ],
  "id": "CVE-2019-13183",
  "lastModified": "2024-11-21T04:24:22.547",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-07-07T15:15:10.307",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/flarum/core/blob/master/CHANGELOG.md"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/flarum/core/blob/master/CHANGELOG.md"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2019-13183 (GCVE-0-2019-13183)

Vulnerability from cvelistv5 – Published: 2019-07-07 14:34 – Updated: 2024-08-04 23:41

Summary

Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/flarum/core/blob/master/CHANGELOG.md	x_refsource_MISC
	https://discuss.flarum.org/d/20606-flarum-0-1-0-b…	x_refsource_CONFIRM
	https://github.com/flarum/core/security/advisorie…	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:41:10.532Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/flarum/core/blob/master/CHANGELOG.md"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-07-07T14:34:45",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/flarum/core/blob/master/CHANGELOG.md"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-13183",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Flarum before 0.1.0-beta.9 allows CSRF against all POST endpoints, as demonstrated by changing admin settings."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/flarum/core/blob/master/CHANGELOG.md",
              "refsource": "MISC",
              "url": "https://github.com/flarum/core/blob/master/CHANGELOG.md"
            },
            {
              "name": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released",
              "refsource": "CONFIRM",
              "url": "https://discuss.flarum.org/d/20606-flarum-0-1-0-beta-9-released"
            },
            {
              "name": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6",
              "refsource": "CONFIRM",
              "url": "https://github.com/flarum/core/security/advisories/GHSA-3wjh-93gr-chh6"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-13183",
    "datePublished": "2019-07-07T14:34:45",
    "dateReserved": "2019-07-02T00:00:00",
    "dateUpdated": "2024-08-04T23:41:10.532Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2019-13183

CVE-2019-13183 (GCVE-0-2019-13183)

Tags

Sightings

Nomenclature