exploitDog

CVE-2022-37160

Опубликовано: 25 авг. 2022

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

Claroline 13.5.7 and prior allows an authenticated attacker to elevate privileges via the arbitrary creation of a privileged user. By combining the XSS vulnerability present in several upload forms and a javascript request to the present API, it is possible to trigger the creation of a user with administrative rights by opening an SVG file as an administrator user.

Ссылки

https://github.com/matthieu-hackwitharts/claroline-CVEs/blob/main/csrf/csrf.md
Exploit
Third Party Advisory
https://github.com/matthieu-hackwitharts/claroline-CVEs/blob/main/csrf/csrf.md
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:claroline:claroline:*:*:*:*:*:*:*:*

Версия до 13.5.7 (включая)

EPSS

Процентиль: 50%

0.00272

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-wf9g-xq9w-3q55

CVSS3: 5.4

github

больше 3 лет назад

Claroline 13.5.7 and prior allows an authenticated attacker to elevate privileges via the arbitrary creation of a privileged user. By combining the XSS vulnerability present in several upload forms and a javascript request to the present API, it is possible to trigger the creation of a user with administrative rights by opening an SVG file as an administrator user.

EPSS

Процентиль: 50%

0.00272

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79