Lucene search

Veracode Vulnerability DatabaseVERACODE:44763

HistoryDec 20, 2023 - 10:05 a.m.

Cross Site Request Forgery (CSRF)

2023-12-2010:05:15

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

phpsysinfo

cross site request forgery

jsonp hijacking

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

43.0%

JSON

Phpsysinfo is vulnerable to Cross Site Request Forgery (CSRF). The vulnerability is caused due to the missing validation for JSONP requests in read_config.php file. This could allow an attacker to retrieve sensitive JSON data from the server,leads JSONP hijacking vulnerability.

CPENameOperatorVersion
phpsysinfo/phpsysinfolev3.4.2
phpsysinfo:sideq3.2.5-3
phpsysinfo/phpsysinfolev3.4.2
phpsysinfo:sideq3.2.5-3

Name	Operator	Version
phpsysinfo/phpsysinfo	le	v3.4.2
phpsysinfo:sid	eq	3.2.5-3
phpsysinfo/phpsysinfo	le	v3.4.2
phpsysinfo:sid	eq	3.2.5-3

References

github.com/advisories/GHSA-67gv-xrw7-p72w

github.com/Hebing123/cve/issues/5

github.com/phpsysinfo/phpsysinfo/commit/4f2cee505e4f2e9b369a321063ff2c5e0c34ba45

huntr.com/bounties/ca6d669f-fd82-4188-aae2-69e08740d982/

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

43.0%

JSON

Related for VERACODE:44763