apollo-portal has potential CSRF issue
CVE-2023-25569

5.7MEDIUM

Key Information:

Status
Vendor
CVE Published:
20 February 2023

What is CVE-2023-25569?

Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cookie SameSite strategy was set to Lax in version 2.1.0. As a workaround, avoid visiting unknown source pages.

Affected Version(s)

apollo < 2.1.0

References

CVSS V3.1

Score:
5.7
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.