CVE-2013-7464

In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used.
Configurations

Configuration 1 (hide)

cpe:2.3:a:csrf-magic_project:csrf-magic:*:*:*:*:*:*:*:*

History

21 Nov 2024, 02:01

Type Values Removed Values Added
References () http://csrf.htmlpurifier.org/news/2013/0717-1.0.4-released - Vendor Advisory, Release Notes () http://csrf.htmlpurifier.org/news/2013/0717-1.0.4-released - Release Notes, Vendor Advisory
References () http://repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txt - Release Notes, Third Party Advisory () http://repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txt - Release Notes, Third Party Advisory
References () http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11 - Patch, Third Party Advisory () http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11 - Patch, Third Party Advisory

Information

Published : 2018-08-08 00:29

Updated : 2024-11-21 02:01


NVD link : CVE-2013-7464

Mitre link : CVE-2013-7464

CVE.ORG link : CVE-2013-7464


JSON object : View

Products Affected

csrf-magic_project

  • csrf-magic
CWE
CWE-352

Cross-Site Request Forgery (CSRF)