PeTeReport 0.5 - Cross-site request forgery
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
PeTeReport 0.5 - Cross-site request forgery
Code name
State
Public
Release date
23 de fev. de 2022
Affected product
PeTeReport
Affected version(s)
Version 0.5
Fixed version(s)
Version 0.7
Vulnerability name
Cross-site request forgery
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
CVSS v3.1 base score
4.3
Exploit available
No
CVE ID(s)
Description
PeteReport Version 0.5 contains a Cross Site Request Forgery (CSRF) vulnerability allowing an attacker to trick users into deleting users, products, reports and findings on the application.
Proof of Concept
Steps to reproduce
Create a malicious html file with the following content.
If an authenticated admin visits the malicious url, the user with the correspond id will be deleted.
System Information
Version: PeteReport Version 0.5.
Operating System: Docker.
Web Server: nginx.
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
An updated version of PeteReport is available at the vendor page.
References
Timeline
7 de fev. de 2022
Vulnerability discovered
7 de fev. de 2022
Vendor contacted
9 de fev. de 2022
Vendor replied
9 de fev. de 2022
Vulnerability patched
23 de fev. de 2022
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.