CVE-2019-13594

HIGH8.8EPSS 0.14%

Mirumee Saleor CSRF Protection Disabled

Published: 5/24/2022Modified: 11/8/2023

Description

In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server.

Affected packages (1)

PyPI/saleor>= 2.7.0, < 2.8.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-13594
WEBhttps://github.com/mirumee/saleor/commit/94c07034ff1bfc209461e39ca1bb6228d8ca0e35
WEBhttp://web.archive.org/web/20190713094847/https://github.com/mirumee/saleor/releases/tag/2.8.0