CVE-2021-29349

{"id": "CVE-2021-29349", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2021-03-31T23:15:11.827", "references": [{"url": "https://github.com/0xBaz/CVE-2021-29349/issues/1", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipientnotification/inbox.php pieform_delete_all_notifications request, which leads to removing all messages from a mailbox."}, {"lang": "es", "value": "Mahara versi\u00f3n 20.10 est\u00e1 afectado por un vulnerabilidad de tipo Cross Site Request Forgery (CSRF) que permite a un atacante remoto eliminar el correo de la bandeja de entrada del servidor. La aplicaci\u00f3n no puede validar el token CSRF para una petici\u00f3n POST. Un atacante puede crear una petici\u00f3n de pieform_delete_all_notifications del archivo module/multirecipientnotification/inbox.php, que conlleva a eliminar todos los mensajes de un buz\u00f3n."}], "lastModified": "2021-04-07T12:45:55.307", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mahara:mahara:20.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39EBBE51-0365-49FD-9504-C42AC8EA8477"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}