CVE-2021-45886

Опубликовано: 13 мар. 2022

Источник: nvd

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

An issue was discovered in PONTON X/P Messenger before 3.11.2. Anti-CSRF tokens are globally valid, making the web application vulnerable to a weakened version of CSRF, where an arbitrary token of a low-privileged user (such as operator) can be used to confirm actions of higher-privileged ones (such as xpadmin).

Ссылки

https://www.ponton.de/products/xpmessenger/
Product
Vendor Advisory
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-080.txt
Exploit
Release Notes
Third Party Advisory
https://www.ponton.de/products/xpmessenger/
Product
Vendor Advisory
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-080.txt
Exploit
Release Notes
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:ponton:x\/p_messenger:3.8.0:*:*:*:*:*:*:*

cpe:2.3:a:ponton:x\/p_messenger:3.10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 35%

0.00146

Низкий

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-352

Связанные уязвимости

GHSA-xgh6-mwxq-8jp5