Headline
CVE-2023-5902: Cross-Site Request Forgery (CSRF) in in pkp-lib
Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib prior to 3.3.0-16.
Valid
Description
CSRF led to change permissions of participant in Edit Assignment sessions.
Proof of Concept
Payload: https://drive.google.com/file/d/1dHY9CS6R4mKM4F0im5n1aUxFamMEjbAa/view?usp=sharing
Video PoC: https://drive.google.com/file/d/1AdDFE_-qOF-EvVEJzzXKguMfr6ZkXXEx/view?usp=drive_link
Impact
This vulnerability is capable of changing permissions assignments of participant
We are processing your report and will contact the pkp/pkp-lib team within 24 hours. a month ago
We have contacted a member of the pkp/pkp-lib team and are waiting to hear back a month ago
Alec Smecher modified the Severity from Medium (5.4) to Medium (4.3) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
The fix bounty is now up for grabs
The researcher’s credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Nov 1st 2023
to join this conversation
We are processing your report and will contact the pkp/pkp-lib team within 24 hours. a month ago
We have contacted a member of the pkp/pkp-lib team and are waiting to hear back a month ago
Alec Smecher modified the Severity from Medium (5.4) to Medium (4.3) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
The fix bounty is now up for grabs
The researcher’s credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Nov 1st 2023
to join this conversation