CVE-2024-39326

SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue.

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.7 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/NationalSecurityAgency/skills-service/blob/24dd22f43306fc616e4580fb8bb88f66b5d9b41d/service/src/main/java/skills/controller/AdminController.groovy#L574
https://github.com/NationalSecurityAgency/skills-service/commit/68d4235ddcb16e4f33fc7f19d14ff917817a366c
https://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j

Configurations

No configuration.

History

No history.

Information

Published : 2024-07-02 21:15

Updated : 2024-07-03 12:53

NVD link : CVE-2024-39326

Mitre link : CVE-2024-39326

CVE.ORG link : CVE-2024-39326

JSON object : View

Products Affected

No product.

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2024-39326", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 0.7}]}, "published": "2024-07-02T21:15:11.657", "references": [{"url": "https://github.com/NationalSecurityAgency/skills-service/blob/24dd22f43306fc616e4580fb8bb88f66b5d9b41d/service/src/main/java/skills/controller/AdminController.groovy#L574", "source": "security-advisories@github.com"}, {"url": "https://github.com/NationalSecurityAgency/skills-service/commit/68d4235ddcb16e4f33fc7f19d14ff917817a366c", "source": "security-advisories@github.com"}, {"url": "https://github.com/NationalSecurityAgency/skills-service/security/advisories/GHSA-9624-qwxr-jr4j", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint \n`/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue.\n"}, {"lang": "es", "value": "SkillTree es una plataforma de gamificaci\u00f3n de microaprendizaje. Antes de la versi\u00f3n 2.12.6, el endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (y probablemente otros) est\u00e1 abierto a una vulnerabilidad de cross-site request forgery (CSRF). Debido a que el endpoint es CSRFable, por ejemplo, solicitud POST, admite un tipo de contenido que puede explotarse (carga de archivos de varias partes), realiza un cambio de estado y no tiene mitigaciones de CSRF implementadas (indicador del mismo sitio, token CSRF). Es posible realizar un ataque CSRF contra una cuenta de administrador que haya iniciado sesi\u00f3n, lo que permite que un atacante que pueda apuntar a un administrador de Skills que haya iniciado sesi\u00f3n modifique los videos, los subt\u00edtulos y el texto de la habilidad. La versi\u00f3n 2.12.6 contiene un parche para este problema."}], "lastModified": "2024-07-03T12:53:24.977", "sourceIdentifier": "security-advisories@github.com"}