GitHub Advisory DatabaseGHSA-HWMH-9JJ9-8C9CContao CSRF Token Bypass
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
30.9%
Security researcher Ali Razzaq has discovered that the request token check can be bypassed in Contao 4.7
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| contao/core-bundle | lt | 4.7.3 | |
| contao/contao | lt | 4.7.3 |
References
contao.org/en/news.html
contao.org/en/news/security-vulnerability-cve-2019-10642.html
github.com/advisories/GHSA-hwmh-9jj9-8c9c
github.com/contao/contao/commit/ee2c8130c2e68a1d0d2e75bd6b774c4393942b15
github.com/FriendsOfPHP/security-advisories/blob/master/contao/contao/CVE-2019-10642.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/contao/core-bundle/CVE-2019-10642.yaml
nvd.nist.gov/vuln/detail/CVE-2019-10642
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
30.9%