Attackers Can Trick Users into Submitting Malicious CSRF Requests, Leading to Privilege Escalation and Data Exposure

CVE-2024-45693

Summary

A security vulnerability exists in the Apache CloudStack web interface, allowing authenticated users to be deceived into executing unauthorized Cross-Site Request Forgery (CSRF) actions. This flaw originates from a lack of proper validation of request origins. Exploitation of this vulnerability permits attackers to manipulate user sessions, gain elevated privileges, seize control over user accounts, disrupt operations, and access sensitive information managed by the affected cloud platform. Users on versions 4.15.1.0 to 4.18.2.3 and 4.19.0.0 to 4.19.1.1 are particularly impacted. It is highly recommended to upgrade to versions 4.18.2.4 or 4.19.1.2 or later to mitigate these risks.

References