exploitDog

CVE-2020-13416

Опубликовано: 22 мая 2020

Источник: nvd

CVSS3: 6.5

CVSS2: 4.3

EPSS Низкий

Описание

An issue was discovered in Aviatrix Controller before 5.4.1066. A Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability for password resets.

Ссылки

https://docs.aviatrix.com/HowTos/security_bulletin_article.html#csrf-on-password-reset
Vendor Advisory
https://docs.aviatrix.com/HowTos/security_bulletin_article.html#csrf-on-password-reset
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:aviatrix:controller:*:*:*:*:*:*:*:*

Версия до 5.4.1066 (исключая)

EPSS

Процентиль: 41%

0.0019

Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-352

Связанные уязвимости

GHSA-53jf-8wq6-r7jr

github

больше 3 лет назад

An issue was discovered in Aviatrix Controller before 5.4.1066. A Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability for password resets.

EPSS

Процентиль: 41%

0.0019

Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-352