Skip to content

Instantly share code, notes, and snippets.

@filipaze
Created October 19, 2022 14:46
Show Gist options
  • Save filipaze/76138289ded98aa45dfcd939a8afd331 to your computer and use it in GitHub Desktop.
Save filipaze/76138289ded98aa45dfcd939a8afd331 to your computer and use it in GitHub Desktop.
CVE-2022-40488
ProcessWire Cross Site Request Forgery (CSRF) Vulnerabilities
Version: ProcessWire v3.0.200 and older versions
Description:
ProcessWire is a free content management system (CMS) and framework (CMF).
Vulnerability:
ProcessWire v3.0.200 was discovered to contain a Cross-Site Request Forgery (CSRF).
Althoug ProcessWire is implementing an anti CSRF Token, it is not properly validated, allowing an attacker to induce users to perform actions that they do not intend to perform.
Affected functionalities:
> create, edit and delete bookmarks
> delete users
> delete roles
> delete permissions
> install permissions
Fix URL: https://github.com/processwire/processwire/commit/95bdbf76ba0761d7fa1e8a5f8334b790da0a394b
Credits:
These vulnerabilities were discovered by Filipe Azevedo e Guilherme Santos.
We worked with the ProcessWire security team to have these security flaws
reported and fixed.
We would like to publicly thank Ryan for his prompt response!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment