Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-6251: CSRF in user-message deletion

Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, <= 2.0.0p39 allow an authenticated attacker to delete user-messages for individual users.

CVE
#csrf#vulnerability#auth

In Checkmk you can message other users via Send user message. Prior to this Werk an authenticated attacker who receives such a user-message could craft a link with the generated message uuid to delete the message. This link was prone to CSRF and when another user was tricked into opening this link the message was deleted possibly before the user could read it.

  • This vulnerability was identified through a commissioned penetration test conducted by Port Zero.

Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0

Vulnerability Management: We have rated the issue with a CVSS Score of 3.5 (Low) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N. We assigned CVE-2023-6251 to this vulnerability.

Changes: This Werk adds CSRF token validation to this endpoint.

To the list of all Werks

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907