CVE-2022-29557: CVE-List/CVE-2022-29557.txt at main · Q2Flc2FySec/CVE-List

Firco Compliance Link - Version 3.7 - Insufficient CSRF Protection

===============================================================================

Identifiers

-------------------------------------------------

CVE-2022-29557

Vendor

-------------------------------------------------

Lexis Nexis (https://risk.lexisnexis.com/)

Product

-------------------------------------------------

Firco Compliance Link

Affected versions

-------------------------------------------------

Firco Compliance Link - Version 3.7

Credit

-------------------------------------------------

Thomas Caesar (@Q2Flc2Fy) / Lufthansa Industry Solutions (@LHIND_DLH)

Vulnerability summary

-------------------------------------------------

Firco Compliance Link - Version 3.7 has insufficient CSRF Protection. Only in POST requests are sufficient CSRF protection mechanisms enforced. Some GET requests are also worth protecting.

Technical details

------------------------------------------------

An attacker can forge a request to delete users and then trick any user with a valid session to perform this request.

Proof of concept

-------------------------------------------------

Withheld

Solution

-------------------------------------------------

Enable CSRF protection also for GET requests.

Timeline

-------------------------------------------------

Date | Status

------------|--------------------

11–MAI-2022 | Reported to vendor

11-AUG-2022 | End of 90 days Full Disclosure Time

14-FEB-2023 | FULL disclosure