Created
October 19, 2022 14:46
-
-
Save filipaze/76138289ded98aa45dfcd939a8afd331 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2022-40488 | |
| ProcessWire Cross Site Request Forgery (CSRF) Vulnerabilities | |
| Version: ProcessWire v3.0.200 and older versions | |
| Description: | |
| ProcessWire is a free content management system (CMS) and framework (CMF). | |
| Vulnerability: | |
| ProcessWire v3.0.200 was discovered to contain a Cross-Site Request Forgery (CSRF). | |
| Althoug ProcessWire is implementing an anti CSRF Token, it is not properly validated, allowing an attacker to induce users to perform actions that they do not intend to perform. | |
| Affected functionalities: | |
| > create, edit and delete bookmarks | |
| > delete users | |
| > delete roles | |
| > delete permissions | |
| > install permissions | |
| Fix URL: https://github.com/processwire/processwire/commit/95bdbf76ba0761d7fa1e8a5f8334b790da0a394b | |
| Credits: | |
| These vulnerabilities were discovered by Filipe Azevedo e Guilherme Santos. | |
| We worked with the ProcessWire security team to have these security flaws | |
| reported and fixed. | |
| We would like to publicly thank Ryan for his prompt response! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment