SkillTree vulnerable to CSRF attack
CVE-2024-39326

4.4MEDIUM

Key Information:

Vendor

Nationalsecurityagency

Status
Skills-service
Vendor
CVE Published:
2 July 2024

What is CVE-2024-39326?

SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint /admin/projects/{projectname}/skills/{skillname}/video (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue.

Affected Version(s)

skills-service < 2.12.6

References

https://github.com/NationalSecurityAgency/skills-service/...
x_refsource_CONFIRM
https://github.com/NationalSecurityAgency/skills-service/...
x_refsource_MISC
https://github.com/NationalSecurityAgency/skills-service/...
x_refsource_MISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.