GHSA-pvgf-mrr4-cw7r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pvgf-mrr4-cw7r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-pvgf-mrr4-cw7r/GHSA-pvgf-mrr4-cw7r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pvgf-mrr4-cw7r
- Aliases
- Published
- 2021-05-06T18:53:09Z
- Modified
- 2023-11-08T04:03:06.403700Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Cross-Site Request Forgery in ForkCMS
- Details
-
Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to (1) approve the mass of the user's comments, (2) restoring a deleted user, (3) installing or running modules, (4) resetting the analytics, (5) pinging the mailmotor api, (6) uploading things to the media library, (7) exporting locale.
- Database specific
{ "nvd_published_at": "2021-01-11T16:15:00Z", "github_reviewed_at": "2021-04-06T22:22:33Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-352" ] }- References
Affected packages
Packagist / forkcms/forkcms
Package
- Name
- forkcms/forkcms
- Purl
- pkg:composer/forkcms/forkcms
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.8.3
Affected versions
3.*
3.5.0
3.5.1
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.7
3.7.1
3.7.2
3.7.3
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4
3.9.5
3.9.6
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.1.0
4.1.1
4.1.2
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.3.0
4.3.1
4.4.0
4.4.1
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.1.0
5.2.0
5.2.1
5.2.2
5.2.3
5.3.0
5.3.1
5.4.0
5.4.1
5.5.0
5.5.1
5.5.2
5.6.0
5.6.1
5.6.2
5.7.0
5.7.1
5.8.0
5.8.1
5.8.2