GHSA-pvgf-mrr4-cw7r

Suggest an improvement
Source
https://github.com/advisories/GHSA-pvgf-mrr4-cw7r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-pvgf-mrr4-cw7r/GHSA-pvgf-mrr4-cw7r.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-pvgf-mrr4-cw7r
Aliases
Published
2021-05-06T18:53:09Z
Modified
2023-11-01T04:52:34.400334Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Cross-Site Request Forgery in ForkCMS
Details

Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to (1) approve the mass of the user's comments, (2) restoring a deleted user, (3) installing or running modules, (4) resetting the analytics, (5) pinging the mailmotor api, (6) uploading things to the media library, (7) exporting locale.

Database specific
{
    "nvd_published_at": "2021-01-11T16:15:00Z",
    "github_reviewed_at": "2021-04-06T22:22:33Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ]
}
References

Affected packages

Packagist / forkcms/forkcms

Package

Name
forkcms/forkcms
Purl
pkg:composer/forkcms/forkcms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.8.3

Affected versions

3.*

3.5.0
3.5.1
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.7
3.7.1
3.7.2
3.7.3
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4
3.9.5
3.9.6

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.1.0
4.1.1
4.1.2
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.3.0
4.3.1
4.4.0
4.4.1
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.1.0
5.2.0
5.2.1
5.2.2
5.2.3
5.3.0
5.3.1
5.4.0
5.4.1
5.5.0
5.5.1
5.5.2
5.6.0
5.6.1
5.6.2
5.7.0
5.7.1
5.8.0
5.8.1
5.8.2