PeTeReport 0.5 - Cross-site request forgery
4,3
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
PeTeReport 0.5 - Cross-site request forgery
Code name
State
Public
Release date
23 de fev. de 2022
Affected product
PeTeReport
Affected version(s)
Version 0.5
Fixed version(s)
Version 0.7
Vulnerability name
Cross-site request forgery
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
CVSS v3.1 base score
4.3
Exploit available
No
CVE ID(s)
Description
PeteReport Version 0.5 contains a Cross Site Request Forgery (CSRF) vulnerability allowing an attacker to trick users into deleting users, products, reports and findings on the application.
Proof of Concept
Steps to reproduce
Create a malicious html file with the following content.
If an authenticated admin visits the malicious url, the user with the correspond id will be deleted.
System Information
Version: PeteReport Version 0.5.
Operating System: Docker.
Web Server: nginx.
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
An updated version of PeteReport is available at the vendor page.
References
Timeline
Vulnerability discovered
7 de fev. de 2022
Vendor contacted
7 de fev. de 2022
Vendor replied
9 de fev. de 2022
Vulnerability patched
9 de fev. de 2022
Public disclosure
23 de fev. de 2022
