How severe is CVE-2024-39326?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.4 out of 10.

What type of vulnerability is CVE-2024-39326?

This is classified as CWE-352, which is a common weakness in software security.

CVE-2024-39326 - MEDIUM Severity | CVSS 4.4

Vulnerability Description

SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue.

Related Vulnerabilities

CVE-2024-4403

MEDIUM

CVSS:4.4(Medium)

A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintende...

CWE-3522024

CVE-2024-4839

MEDIUM

CVSS:4.4(Medium)

A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic searc...

CWE-3522024

CVE-2024-6673

MEDIUM

CVSS:4.4(Medium)

A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. The end...

CWE-3522024

CVE-2017-8382

MEDIUM

CVSS:4.5(Medium)

admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.

CWE-3522017

CVE-2020-20586

MEDIUM

CVSS:4.5(Medium)

A cross site request forgery (CSRF) vulnerability in the /xyhai.php?s=/Auth/editUser URI of XYHCMS V3.6 allows attackers to edit any information of the administrator such as the name, e-mail, and pass...

CWE-3522020

CVE-2020-36191

MEDIUM

CVSS:4.5(Medium)

JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).

CWE-3522020