In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used.
References
Link | Resource |
---|---|
http://csrf.htmlpurifier.org/news/2013/0717-1.0.4-released | Vendor Advisory Release Notes |
http://repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txt | Release Notes Third Party Advisory |
http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11 | Patch Third Party Advisory |
Configurations
History
No history.
Information
Published : 2018-08-08 00:29
Updated : 2024-02-28 16:48
NVD link : CVE-2013-7464
Mitre link : CVE-2013-7464
CVE.ORG link : CVE-2013-7464
JSON object : View
Products Affected
csrf-magic_project
- csrf-magic
CWE
CWE-352
Cross-Site Request Forgery (CSRF)