CVE-2022-28108

Published: Apr 19, 2022Modified: Jun 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Selenium Server (Grid) before 4 allows CSRF because it permits non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.

Affected (8)

Products: Selenium: Selenium Grid

1 product

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Selenium Selenium Grid	Before 4.0.0
Selenium Selenium Grid	Version 4.0.0
Selenium Selenium Grid	Version 4.0.0 alpha1
Selenium Selenium Grid	Version 4.0.0 alpha2
Selenium Selenium Grid	Version 4.0.0 alpha3
Selenium Selenium Grid	Version 4.0.0 alpha4
Selenium Selenium Grid	Version 4.0.0 alpha5
Selenium Selenium Grid	Version 4.0.0 alpha6

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (6)

https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.openwall.com/lists/oss-security/2022/02/07/3

Source: cve@mitre.org

Mailing ListNot ApplicableThird Party Advisory

https://www.selenium.dev/downloads/

Source: cve@mitre.org

ProductVendor Advisory

https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.openwall.com/lists/oss-security/2022/02/07/3

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListNot ApplicableThird Party Advisory

https://www.selenium.dev/downloads/

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

Timeline

No history available yet.