In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used.
References
Link | Resource |
---|---|
http://csrf.htmlpurifier.org/news/2013/0717-1.0.4-released | Release Notes Vendor Advisory |
http://repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txt | Release Notes Third Party Advisory |
http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11 | Patch Third Party Advisory |
http://csrf.htmlpurifier.org/news/2013/0717-1.0.4-released | Release Notes Vendor Advisory |
http://repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txt | Release Notes Third Party Advisory |
http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11 | Patch Third Party Advisory |
Configurations
History
21 Nov 2024, 02:01
Type | Values Removed | Values Added |
---|---|---|
References | () http://csrf.htmlpurifier.org/news/2013/0717-1.0.4-released - Release Notes, Vendor Advisory | |
References | () http://repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txt - Release Notes, Third Party Advisory | |
References | () http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11 - Patch, Third Party Advisory |
Information
Published : 2018-08-08 00:29
Updated : 2024-11-21 02:01
NVD link : CVE-2013-7464
Mitre link : CVE-2013-7464
CVE.ORG link : CVE-2013-7464
JSON object : View
Products Affected
csrf-magic_project
- csrf-magic
CWE
CWE-352
Cross-Site Request Forgery (CSRF)