CVE-2023-7038

MEDIUM4.3EPSS 0.14%

Cross-Site Request Forgery (CSRF) in automad/automad

Published: 12/21/2023Modified: 8/19/2024

Description

automad up to 1.10.9 does not implement anti-CSRF tokens by default, making it vulnerable Cross-Site Request Forgery (CSRF). An attacker may exploit this vulnerability to force an admin into creating or deleting users. An exploit has been disclosed publicly.

Affected packages (1)

Packagist/automad/automadfrom 0, < 2.0.0-alpha.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-7038
PATCHhttps://github.com/marcantondahmen/automad
WEBhttps://github.com/screetsec/VDD/tree/main/Automad%20CMS/Cross-Site%20Request%20Forgery%20(CSRF)
WEBhttps://vuldb.com/?ctiid.248687
WEBhttps://vuldb.com/?id.248687