Vulnerability Details CVE-2013-7464
In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 41.0%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.8
References
- http://csrf.htmlpurifier.org/news/2013/0717-1.0.4-released
- http://repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txt
- http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11
- http://csrf.htmlpurifier.org/news/2013/0717-1.0.4-released
- http://repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txt
- http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11
Products affected by CVE-2013-7464
-
cpe:2.3:a:csrf-magic_project:csrf-magic:*