An issue was discovered in Serpico (aka SimplE RePort wrIting and CollaboratiOn tool) 1.3.0. It does not use CSRF Tokens to mitigate against CSRF; it uses the Origin header (which must match the request origin). This is problematic in conjunction with XSS: one can escalate privileges from User level to Administrator.
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://websec.nl/news.php |
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2020-01-15T22:51:42
Updated: 2024-08-05T02:25:12.901Z
Reserved: 2019-12-17T00:00:00
Link: CVE-2019-19854
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-01-15T23:15:11.573
Modified: 2024-11-21T04:35:32.147
Link: CVE-2019-19854
Redhat
No data.