odata-client-core is vulnerable to cross-site request forgery (CSRF). The AsyncRequestWrapperImpl
class reads a URL from the Location
header and sends a GET/DELETE request to the URL without verifying the authenticity of the request. This allows a remote attacker to trick a user into visiting a malicious site that causes the client browser to make a call to any URL including internal resources which are not directly accessible by the attacker.
CPE | Name | Operator | Version |
---|---|---|---|
odata-client-core | le | 4.7.0 |