Описание
PHPKIT 1.6.4 PL1 includes the session ID in the URL, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks by reading the PHPKITSID parameter from the HTTP Referer and using it in a request to (1) modify the user profile via upload_files/include.php or (2) create a new administrator via upload_files/pk/include.php.
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:phpkit:phpkit:1.6.4pl1:*:*:*:*:*:*:*
EPSS
Процентиль: 43%
0.00205
Низкий
6.8 Medium
CVSS2
Дефекты
CWE-352
Связанные уязвимости
github
больше 3 лет назад
PHPKIT 1.6.4 PL1 includes the session ID in the URL, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks by reading the PHPKITSID parameter from the HTTP Referer and using it in a request to (1) modify the user profile via upload_files/include.php or (2) create a new administrator via upload_files/pk/include.php.
EPSS
Процентиль: 43%
0.00205
Низкий
6.8 Medium
CVSS2
Дефекты
CWE-352