CVE-2013-7464

In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 40%
VendorProductVersion
csrf-magic_projectcsrf-magic
𝑥
< 1.0.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cacti
bullseye
1.2.16+ds1-2+deb11u3
fixed
bullseye (security)
1.2.16+ds1-2+deb11u4
fixed
bookworm
1.2.24+ds1-1+deb12u4
fixed
bookworm (security)
1.2.24+ds1-1+deb12u2
fixed
sid
1.2.28+ds1-2
fixed
trixie
1.2.28+ds1-2
fixed
zoneminder
bullseye
1.34.23-1
fixed
bookworm
1.36.33+dfsg1-1
fixed
sid
1.36.33+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cacti
cosmic
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
http://csrf.htmlpurifier.org/news/2013/0717-1.0.4-released
http://repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txt
http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11
http://csrf.htmlpurifier.org/news/2013/0717-1.0.4-released
http://repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txt
http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11