Attackers Can Trick Users into Submitting Malicious CSRF Requests, Leading to Privilege Escalation and Data Exposure
CVE-2024-45693

8.8HIGH

Key Information:

Vendor: Apache CloudStack
Status: Cloudstack
Vendor: CVE Published:; 16 October 2024

🔔 Create Apache CloudStack Vulnerability Alert

What is CVE-2024-45693?

A security vulnerability exists in the Apache CloudStack web interface, allowing authenticated users to be deceived into executing unauthorized Cross-Site Request Forgery (CSRF) actions. This flaw originates from a lack of proper validation of request origins. Exploitation of this vulnerability permits attackers to manipulate user sessions, gain elevated privileges, seize control over user accounts, disrupt operations, and access sensitive information managed by the affected cloud platform. Users on versions 4.15.1.0 to 4.18.2.3 and 4.19.0.0 to 4.19.1.1 are particularly impacted. It is highly recommended to upgrade to versions 4.18.2.4 or 4.19.1.2 or later to mitigate these risks.

References

https://cloudstack.apache.org/blog/security-release-advis...

https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9t...

https://cloudstack.apache.org/blog/security-release-advis...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2024