lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKD6+R4J15Aqhn1GC0Q7Aq8B36H+dsV-cRkScDUe=Z=aah-9PA@mail.gmail.com>
Date: Mon, 26 Aug 2019 10:21:40 +0200
From: Daniel Bishtawi <daniel@...sparker.com>
To: fulldisclosure@...lists.org, vuln@...unia.com, bugs@...uritytracker.com, 
 submissions@...ketstormsecurity.org
Subject: [FD] Multiple CSRF Vulnerabilities in Django CRM 0.2.1

Hello,

We are informing you about the vulnerabilities in Django CRM 0.2.1.

Here are the details:

Information
--------------------
Advisory by Netsparker
Name: Multiple CSRF Vulnerabilities in Django CRM 0.2.1
Affected Software: Django CRM
Affected Versions: 0.2.1
Homepage: https://github.com/MicroPyramid/Django-CRM
Vulnerability: Cross-site Request Forgery
Severity: 8.8 High
Status: Not Fixed
CVE-ID: CVE-2019-11457
CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Netsparker Advisory Reference: NS-19-013

Technical Details
--------------------


   1. /change-password-by-admin/
   URL: http://{domain}/change-password-by-admin/
   Form Name: pasteform


   1. /api/settings/add/
   URL: http://{domain}/api/settings/add/
   Form Name: pasteform


   1. /cases/create/
   URL: http://{domain}/cases/create/
   Form Name: pasteform


   1. /change-password-by-admin/
   URL: http://{domain}/change-password-by-admin/
   Form Name: pasteform


   1. /comment/add/
   URL: http://{domain}/comment/add/
   Form Name: pasteform


   1. /documents/1/view/
   URL: http://{domain}/documents/1/view/
   Form Name: pasteform


   1. /documents/create/
   URL: http://{domain}/documents/create/
   Form Name: pasteform


   1. /opportunities/create/
   URL: http://{domain}/opportunities/create/
   Form Name: pasteform


   1. /login/
   URL: http://192.168.52.131:8000/login/


For more information:
https://www.netsparker.com/web-applications-advisories/ns-19-013-csrf-vulnerabilities-in-django-crm/

Regards,

Daniel Bishtawi
Marketing Administrator | Netsparker Web Application Security Scanner
Follow us on Twitter <https://twitter.com/netsparker> | LinkedIn
<https://www.linkedin.com/company/netsparker-ltd> | Facebook
<https://facebook.com/netsparker>
<https://www.netsparker.com/blog/events/exhibiting-global-appsec-dc-2019/>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ