#2074 - Security fix for CSRF vulnerability
-
By Chris Graham
- Added
- 6 views
| Identifier | #2074 |
|---|---|
| Issue type | Minor issue (breaks specific functionality) |
| Title | Security fix for CSRF vulnerability |
| Status | Completed |
| Handling member | Chris Graham |
| Version | 9.0.21 |
| Addon | General / Uncategorised |
| Description | There is a CSRF vulnerability for Composr. The vulnerability bypasses our referrer checks for checking forms posted to the system. It allows malicious third party websites to trick administrators into submitting coded forms (i.e. coded actions) into the system. The vulnerability only happens in very particular circumstances, which we are not currently disclosing. The vulnerability only can occur when the administrator already has a confirmed active login session open (not just a cookie login), and only when they are tricked into going to the malicious third-party site somehow. It is never-the-less a serious issue if a knowledgable hacker desires to directly trick your staff to perform this attack. |
| Steps to reproduce | |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
9.0.22 and 8.1.20 are now released.