CVE-2014-0594

EUVD-2014-0625
In the Open Build Service (OBS) before version 2.4.6 the CSRF protection is incorrectly disabled in the web interface, allowing for requests without the user's consent.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
microfocusCNA
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Affected Products (NVD)
VendorProductVersion
opensuseopen_build_service
𝑥
< 2.4.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
open-build-service
bookworm
2.9.4-9
fixed
sid
2.9.4-10
fixed
trixie
2.9.4-10
fixed
Common Weakness Enumeration
References
https://bugzilla.suse.com/show_bug.cgi?id=870606
https://github.com/openSUSE/open-build-service/commit/2188c059b67b82171d0e28ef59f77e62d22a09d8
https://bugzilla.suse.com/show_bug.cgi?id=870606
https://github.com/openSUSE/open-build-service/commit/2188c059b67b82171d0e28ef59f77e62d22a09d8