CVE-2020-28191 — Togglz console missing cross-site request forgery (CSRF) protection

Description

Togglz is an implementation of the Feature Toggles pattern for Java. There is no CSRF protection in the togglz console and could allow an attacker to guess the CSRF token value. Version 2.9.4 adds the necessary CSRF protection.

How to fix CVE-2020-28191

To remediate CVE-2020-28191, upgrade the affected package to a fixed version below.

—upgrade to 2.9.4 or later

Is CVE-2020-28191 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.9.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-28191
PATCHgithub.com/togglz/togglz
WEBgithub.com/togglz/togglz/commit/ed66e3f584de954297ebaf98ea4a235286784707
WEBgithub.com/togglz/togglz/pull/495
WEB