GHSA-gmj8-84r4-h46j

Source

https://github.com/advisories/GHSA-gmj8-84r4-h46j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-gmj8-84r4-h46j/GHSA-gmj8-84r4-h46j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gmj8-84r4-h46j

Aliases

Published

2022-09-23T00:00:31Z

Modified

2024-10-25T21:41:53.010205Z

Severity

7.0 (High) CVSS_V3 - CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:H CVSS Calculator
7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

rdiffweb Cross-Site Request Forgery vulnerability can lead to user email ID being changed

Details

rdiffwen prior to version 2.4.7 is vulnerable to Cross-Site Request Forgery (CSRF). An attacker can change a user's email ID. Version 2.4.7 has a fix for this issue.

Database specific

{
    "nvd_published_at": "2022-09-22T19:15:00Z",
    "severity": "HIGH",
    "github_reviewed_at": "2022-09-23T20:38:52Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ]
}

References

Affected packages

PyPI / rdiffweb

Package

Name: rdiffweb; View open source insights on deps.dev
Purl: pkg:pypi/rdiffweb

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.7

Affected versions

0.*

0.9.2.dev1

0.9.3

0.9.4

0.9.5

0.10.0

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.10.7

0.10.8

0.10.9

1.*

1.0.0a1

1.0.0a2

1.0.0a3

1.0.0a4

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.2.0

1.2.1

1.2.2

1.3.0

1.3.1b1

1.3.1b2

1.3.1

1.3.2

1.4.0b1

1.4.0b2

1.4.0b3

1.4.0b4

1.4.0b5

1.4.0

1.4.1b1

1.4.1b2

1.4.1b3

1.5.0

1.5.1b1

1.5.1b2

1.6.0b1

2.*

2.0.1b2

2.0.1b3

2.0.2

2.0.3a1

2.0.3a2

2.0.3a3

2.0.3a4

2.0.3a5

2.0.3a6

2.0.3a7

2.1.0

2.2.0.dev1

2.2.0a1

2.2.0a2

2.2.0a3

2.2.0a4

2.2.0a5

2.2.0a6

2.2.0

2.2.1

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6