Skip to content

20200722 CSRF Bypass On Endpoints With No Body Parameters

Arjen van Bochoven edited this page Jul 22, 2020 · 1 revision

CSRF CSRF Bypass On Endpoints With No Body Parameters - CVE-2020-15882

Description

A Cross-site request forgery (CRSF) attack is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account. The application does not correctly check the CSRF token when requests are made via any HTTP Method other than POST or DELETE.

Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable

Mitigation

Update MunkiReport to the latest version

Clone this wiki locally