Description
Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php
Published: 2026-04-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation and Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

Diskover‑Community versions 2.3.5 and earlier contain a Cross‑Site Request Forgery flaw in public/settings_process.php that allows a remote attacker to send forged requests which the application accepts as legitimate. The attacker can thus raise privileges within the application and read or modify sensitive data. This vulnerability is categorized as CWE‑352 and represents a severe flaw in state‑management and request validation.

Affected Systems

All installations of the Diskover‑Data community edition are affected. Any instance running version 2.3.5 or earlier is vulnerable; no later release is known to be vulnerable.

Risk and Exploitability

The flaw scores 8.8 on CVSS, indicating high severity. While no EPSS value is published and the vulnerability is not listed in the CISA KEV catalog, the attack vector is public and does not require prior authentication. A malicious actor can craft a URL or embed a hidden form that submits to public/settings_process.php from a victim’s browser or through a compromised third‑party site, thereby escalating privileges and extracting sensitive data. Due to the simplicity of the CSRF payload and the lack of additional access controls, the risk of exploitation remains significant.

Generated by OpenCVE AI on April 28, 2026 at 04:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade diskover-community to the latest release that removes the CSRF bug in public/settings_process.php.
  • If an upgrade cannot be performed immediately, restrict access to public/settings_process.php so that only authenticated users or known IP ranges can reach the endpoint, for example by configuring web‑server ACLs or a firewall rule.
  • Enforce CSRF protection on settings_update operations by requiring a unique token in POST requests, which prevents forged requests from succeeding unless the user’s session contains a valid token.

Generated by OpenCVE AI on April 28, 2026 at 04:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Diskoverdata
Diskoverdata diskover
Vendors & Products Diskoverdata
Diskoverdata diskover

Tue, 28 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Diskover‑Community Allows Privilege Escalation and Data Theft

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php
References

Subscriptions

Diskoverdata Diskover
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-27T17:48:28.489Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38934

cve-icon Vulnrichment

Updated: 2026-04-27T17:48:15.785Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T17:16:43.037

Modified: 2026-04-27T18:35:53.583

Link: CVE-2026-38934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:45:26Z

Weaknesses