CVE-2023-25569

MEDIUM Year: 2023
CVSS v3 Score
5.7
Medium
Weakness Type
CWE-352
View all →

Vulnerability Description

Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cookie SameSite strategy was set to Lax in version 2.1.0. As a workaround, avoid visiting unknown source pages.

Related Vulnerabilities

CVE-2016-4315

MEDIUM
CVSS:5.7(Medium)

Cross-site request forgery (CSRF) vulnerability in WSO2 Carbon 4.4.5 allows remote attackers to hijack the authentication of privileged users for requests that shutdown a server via a shutdown action ...

CWE-3522016

CVE-2017-14956

MEDIUM
CVSS:5.7(Medium)

AlienVault USM v5.4.2 and earlier offers authenticated users the functionality of exporting generated reports via the "/ossim/report/wizard_email.php" script. Besides offering an export via a local do...

CWE-3522017

CVE-2017-5528

MEDIUM
CVSS:5.7(Medium)

Multiple JasperReports Server components contain vulnerabilities which may allow authorized users to perform cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. The impact of thi...

CWE-3522017

CVE-2019-14680

MEDIUM
CVSS:5.7(Medium)

The admin-renamer-extended (aka Admin renamer extended) plugin 3.2.1 for WordPress allows wp-admin/plugins.php?page=admin-renamer-extended/admin.php CSRF.

CWE-3522019

CVE-2019-14683

MEDIUM
CVSS:5.7(Medium)

The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF.

CWE-3522019

CVE-2019-7730

MEDIUM
CVSS:5.7(Medium)

MyWebSQL 3.7 has a Cross-site request forgery (CSRF) vulnerability for deleting a database via the /?q=wrkfrm&type=databases URI.

CWE-3522019