CVE-2023-0737

Published: Nov 15, 2024Modified: Nov 19, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

wallabag version 2.5.2 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to arbitrarily delete user accounts via the /account/delete endpoint. This issue is fixed in version 2.5.4.

Affected (1)

Products: Wallabag: Wallabag

Wallabag

1 product

Wallabag

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wallabag Wallabag	Version 2.5.2

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://github.com/wallabag/wallabag/commit/268372dbbdd7ef87b84617fdebf95d0a86caf7dc

Source: security@huntr.dev

Patch

https://huntr.com/bounties/4ba20fe7-4061-4dfb-ab2f-ecaf110641a5

Source: security@huntr.dev

Exploit

Timeline

No history available yet.