Description
Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php
Published: 2026-04-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation and Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

Diskover‑Community versions 2.3.5 and earlier contain a Cross‑Site Request Forgery flaw in the file public/settings_process.php. A remote attacker can send forged HTTP requests that the application accepts as legitimate, allowing the attacker to elevate privileges within the application and read or modify sensitive data. This vulnerability is classified as CWE‑352 and represents a severe flaw in state‑management and request validation.

Affected Systems

All installations of the Diskover‑Data community edition are affected. Any instance running version 2.3.5 or earlier is vulnerable; newer releases are not known to be affected.

Risk and Exploitability

The flaw scores 8.8 on CVSS, indicating high severity. The EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is public and does not require prior authentication; a malicious actor can craft a forged request via a victim’s browser or a hidden form submitted to public/settings_process.php from a compromised third‑party site. Due to the simplicity of the CSRF payload and the lack of additional access controls, the risk of exploitation remains significant.

Generated by OpenCVE AI on April 28, 2026 at 23:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade diskover-community to the latest release that removes the CSRF bug in public/settings_process.php.
  • If an upgrade cannot be performed immediately, restrict access to public/settings_process.php so that only authenticated users or known IP ranges can reach the endpoint, for example by configuring web‑server ACLs or a firewall rule.
  • Enforce CSRF protection on settings_update operations by requiring a unique token in POST requests, which prevents forged requests from succeeding unless the user’s session contains a valid token.

Generated by OpenCVE AI on April 28, 2026 at 23:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Diskover‑Community Allows Privilege Escalation and Data Theft

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Diskoverdata
Diskoverdata diskover
Vendors & Products Diskoverdata
Diskoverdata diskover

Tue, 28 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Diskover‑Community Allows Privilege Escalation and Data Theft

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php
References

Subscriptions

Diskoverdata Diskover
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-27T17:48:28.489Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38934

cve-icon Vulnrichment

Updated: 2026-04-27T17:48:15.785Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T17:16:43.037

Modified: 2026-04-27T18:35:53.583

Link: CVE-2026-38934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:45:16Z

Weaknesses