GHSA-3hq4-f2v6-q338
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3hq4-f2v6-q338
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-3hq4-f2v6-q338/GHSA-3hq4-f2v6-q338.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-3hq4-f2v6-q338
- Aliases
- Published
- 2018-07-12T20:30:30Z
- Modified
- 2024-09-27T21:40:14.601129Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Kotti CSRF in the local roles implementation
- Details
-
Kotti before 1.3.2 and 2.x before 2.0.0b2 has CSRF in the local roles implementation, as demonstrated by triggering a permission change via a
/admin-document/@@sharerequest. - Database specific
{ "github_reviewed": true, "severity": "HIGH", "github_reviewed_at": "2020-06-16T20:55:14Z", "cwe_ids": [ "CWE-352" ], "nvd_published_at": null }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-9856
- https://github.com/Kotti/Kotti/issues/551
- https://github.com/Kotti/Kotti/commit/69d3c8a5d7203ddaec5ced5901acf87baddd76be
- https://github.com/Kotti/Kotti
- https://github.com/advisories/GHSA-3hq4-f2v6-q338
- https://github.com/pypa/advisory-database/tree/main/vulns/kotti/PYSEC-2018-10.yaml
Affected packages
PyPI / kotti
Package
- Name
- kotti
- View open source insights on deps.dev
- Purl
- pkg:pypi/kotti
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.3.2
Affected versions
0.*
0.1a1
0.1a2
0.1a3
0.1a4
0.1a5
0.1a6
0.1a7
0.1a8
0.1a9
0.1
0.1.1
0.2a1
0.2a2
0.2
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.3.0
0.3.1
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.5.0a1
0.5.0a2
0.5.0a3
0.5.0a4
0.5.0a5
0.5.0a6
0.5.0a7
0.5.0rc1
0.5.0rc2
0.5.0
0.5.1
0.5.2
0.6.0b1
0.6.0b2
0.6.0b3
0.6.0
0.6.1
0.6.2
0.6.3
0.7a1
0.7a2
0.7a3
0.7a4
0.7a5
0.7a6
0.7rc1
0.7
0.7.1
0.7.2
0.8a1
0.8a2
0.8b1
0.8b2
0.8
0.9a1
0.9a2
0.9b1
0.9b2
0.9
0.9.1
0.9.2
0.10a1
0.10a2
0.10a3
0.10a4
0.10b1
1.*
1.0.0-alpha
1.0.0-alpha.2
1.0.0-alpha.3
1.0.0-alpha.4
1.0.0
1.1.0-alpha.1
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0a1
1.3.0a2
1.3.0a3
1.3.0a4
1.3.0
1.3.1
PyPI / kotti
Package
- Name
- kotti
- View open source insights on deps.dev
- Purl
- pkg:pypi/kotti