Skip to content

CSRF issue on preview pages

High
bobdenotter published GHSA-2q66-6cc3-6xm8 Jun 8, 2020

Package

No package listed

Affected versions

< 3.7.1

Patched versions

3.7.1

Description

Impact

Bolt CMS lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview.

Patches

This has been fixed in Bolt 3.7.1

References

Related issue: #7853

Severity

High

CVE ID

CVE-2020-4040

Weaknesses

No CWEs

Credits