CVE-2024-56310

Опубликовано: 22 дек. 2024

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent.

Ссылки

https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap
Exploit
Third Party Advisory
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/
Product

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*

Версия до 14.9.6 (включая)

EPSS

Процентиль: 20%

0.00064

Низкий

8.8 High

CVSS3

Дефекты

CWE-352

Связанные уязвимости

GHSA-rfmp-w9w5-rmhv

CVSS3: 8.8

github

около 1 года назад

REDCap through 15.0.0 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent.

EPSS

Процентиль: 20%

0.00064

Низкий

8.8 High

CVSS3

Дефекты

CWE-352