Lucene search

Veracode Vulnerability DatabaseVERACODE:45288

HistoryFeb 02, 2024 - 8:34 a.m.

Cross-Site Request Forgery (CSRF)

2024-02-0208:34:27

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site request forgery

csrf

vulnerable

tokens

caching

arbitrary requests

livewire

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

50.9%

JSON

livewire is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability is caused due to tokens persisting across sessions due to insecure caching within the getCsrfToken function. This allows an attacker to execute arbitrary requests on the server.

References

github.com/advisories/GHSA-2cjh-75gp-34gc

github.com/github/advisory-database/pull/3490

github.com/livewire/livewire/commit/5d887316f2aaf83c0e380ac5e72766f19700fa3b

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

50.9%

JSON

Related for VERACODE:45288