apollo-portal has potential CSRF issue
CVE-2023-25569
5.7MEDIUM
What is CVE-2023-25569?
Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cookie SameSite strategy was set to Lax in version 2.1.0. As a workaround, avoid visiting unknown source pages.
Affected Version(s)
apollo < 2.1.0
