FKIE_CVE-2024-39326

Vulnerability from fkie_nvd - Published: 2024-07-02 21:15 - Updated: 2024-11-21 09:27
Severity ?
4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
Summary
SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue.
References
security-advisories@github.comhttps://github.com/NationalSecurityAgency/skills-service/blob/24dd22f43306fc616e4580fb8bb88f66b5d9b41d/service/src/main/java/skills/controller/AdminController.groovy#L574
security-advisories@github.comhttps://github.com/NationalSecurityAgency/skills-service/commit/68d4235ddcb16e4f33fc7f19d14ff917817a366c
security-advisories@github.comhttps://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j
af854a3a-2127-422b-91ae-364da2661108https://github.com/NationalSecurityAgency/skills-service/blob/24dd22f43306fc616e4580fb8bb88f66b5d9b41d/service/src/main/java/skills/controller/AdminController.groovy#L574
af854a3a-2127-422b-91ae-364da2661108https://github.com/NationalSecurityAgency/skills-service/commit/68d4235ddcb16e4f33fc7f19d14ff917817a366c
af854a3a-2127-422b-91ae-364da2661108https://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint \n`/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue.\n"
    },
    {
      "lang": "es",
      "value": "SkillTree es una plataforma de gamificaci\u00f3n de microaprendizaje. Antes de la versi\u00f3n 2.12.6, el endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (y probablemente otros) est\u00e1 abierto a una vulnerabilidad de cross-site request forgery (CSRF). Debido a que el endpoint es CSRFable, por ejemplo, solicitud POST, admite un tipo de contenido que puede explotarse (carga de archivos de varias partes), realiza un cambio de estado y no tiene mitigaciones de CSRF implementadas (indicador del mismo sitio, token CSRF). Es posible realizar un ataque CSRF contra una cuenta de administrador que haya iniciado sesi\u00f3n, lo que permite que un atacante que pueda apuntar a un administrador de Skills que haya iniciado sesi\u00f3n modifique los videos, los subt\u00edtulos y el texto de la habilidad. La versi\u00f3n 2.12.6 contiene un parche para este problema."
    }
  ],
  "id": "CVE-2024-39326",
  "lastModified": "2024-11-21T09:27:28.167",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.7,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-07-02T21:15:11.657",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NationalSecurityAgency/skills-service/blob/24dd22f43306fc616e4580fb8bb88f66b5d9b41d/service/src/main/java/skills/controller/AdminController.groovy#L574"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NationalSecurityAgency/skills-service/commit/68d4235ddcb16e4f33fc7f19d14ff917817a366c"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/NationalSecurityAgency/skills-service/blob/24dd22f43306fc616e4580fb8bb88f66b5d9b41d/service/src/main/java/skills/controller/AdminController.groovy#L574"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/NationalSecurityAgency/skills-service/commit/68d4235ddcb16e4f33fc7f19d14ff917817a366c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.