{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39326", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-21T18:15:22.264Z", "datePublished": "2024-07-02T20:55:01.296Z", "dateUpdated": "2024-08-02T04:19:20.669Z"}, "containers": {"cna": {"title": "SkillTree CSRF Vulnerability allows an attacker to modify the Video and Captions of a Skill", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j"}, {"name": "https://github.com/NationalSecurityAgency/skills-service/commit/68d4235ddcb16e4f33fc7f19d14ff917817a366c", "tags": ["x_refsource_MISC"], "url": "https://github.com/NationalSecurityAgency/skills-service/commit/68d4235ddcb16e4f33fc7f19d14ff917817a366c"}, {"name": "https://github.com/NationalSecurityAgency/skills-service/blob/24dd22f43306fc616e4580fb8bb88f66b5d9b41d/service/src/main/java/skills/controller/AdminController.groovy#L574", "tags": ["x_refsource_MISC"], "url": "https://github.com/NationalSecurityAgency/skills-service/blob/24dd22f43306fc616e4580fb8bb88f66b5d9b41d/service/src/main/java/skills/controller/AdminController.groovy#L574"}], "affected": [{"vendor": "NationalSecurityAgency", "product": "skills-service", "versions": [{"version": "< 2.12.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-02T20:55:01.296Z"}, "descriptions": [{"lang": "en", "value": "SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint \n`/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue.\n"}], "source": {"advisory": "GHSA-9624-qwxr-jr4j", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "nsa", "product": "skills-service", "cpes": ["cpe:2.3:a:nsa:skills-service:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.12.6", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T14:26:13.059465Z", "id": "CVE-2024-39326", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T15:09:32.580Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:19:20.669Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j"}, {"name": "https://github.com/NationalSecurityAgency/skills-service/commit/68d4235ddcb16e4f33fc7f19d14ff917817a366c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/NationalSecurityAgency/skills-service/commit/68d4235ddcb16e4f33fc7f19d14ff917817a366c"}, {"name": "https://github.com/NationalSecurityAgency/skills-service/blob/24dd22f43306fc616e4580fb8bb88f66b5d9b41d/service/src/main/java/skills/controller/AdminController.groovy#L574", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/NationalSecurityAgency/skills-service/blob/24dd22f43306fc616e4580fb8bb88f66b5d9b41d/service/src/main/java/skills/controller/AdminController.groovy#L574"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39326", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-03T14:26:13.059465Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nsa:skills-service:*:*:*:*:*:*:*:*"], "vendor": "nsa", "product": "skills-service", "versions": [{"status": "affected", "version": "0", "lessThan": "2.12.6", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T14:59:01.113Z"}}], "cna": {"title": "SkillTree CSRF Vulnerability allows an attacker to modify the Video and Captions of a Skill", "source": {"advisory": "GHSA-9624-qwxr-jr4j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "NationalSecurityAgency", "product": "skills-service", "versions": [{"status": "affected", "version": "< 2.12.6"}]}], "references": [{"url": "https://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j", "name": "https://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/NationalSecurityAgency/skills-service/commit/68d4235ddcb16e4f33fc7f19d14ff917817a366c", "name": "https://github.com/NationalSecurityAgency/skills-service/commit/68d4235ddcb16e4f33fc7f19d14ff917817a366c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/NationalSecurityAgency/skills-service/blob/24dd22f43306fc616e4580fb8bb88f66b5d9b41d/service/src/main/java/skills/controller/AdminController.groovy#L574", "name": "https://github.com/NationalSecurityAgency/skills-service/blob/24dd22f43306fc616e4580fb8bb88f66b5d9b41d/service/src/main/java/skills/controller/AdminController.groovy#L574", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint \n`/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-02T20:55:01.296Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39326", "state": "PUBLISHED", "dateUpdated": "2024-07-03T15:09:32.580Z", "dateReserved": "2024-06-21T18:15:22.264Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-02T20:55:01.296Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint \n`/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue.\n"}, {"lang": "es", "value": "SkillTree es una plataforma de gamificaci\u00f3n de microaprendizaje. Antes de la versi\u00f3n 2.12.6, el endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (y probablemente otros) est\u00e1 abierto a una vulnerabilidad de cross-site request forgery (CSRF). Debido a que el endpoint es CSRFable, por ejemplo, solicitud POST, admite un tipo de contenido que puede explotarse (carga de archivos de varias partes), realiza un cambio de estado y no tiene mitigaciones de CSRF implementadas (indicador del mismo sitio, token CSRF). Es posible realizar un ataque CSRF contra una cuenta de administrador que haya iniciado sesi\u00f3n, lo que permite que un atacante que pueda apuntar a un administrador de Skills que haya iniciado sesi\u00f3n modifique los videos, los subt\u00edtulos y el texto de la habilidad. La versi\u00f3n 2.12.6 contiene un parche para este problema."}], "id": "CVE-2024-39326", "lastModified": "2024-07-03T12:53:24.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-02T21:15:11.657", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/NationalSecurityAgency/skills-service/blob/24dd22f43306fc616e4580fb8bb88f66b5d9b41d/service/src/main/java/skills/controller/AdminController.groovy#L574"}, {"source": "security-advisories@github.com", "url": "https://github.com/NationalSecurityAgency/skills-service/commit/68d4235ddcb16e4f33fc7f19d14ff917817a366c"}, {"source": "security-advisories@github.com", "url": "https://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}