Miggo Logo

CVE-2022-3274: rdiffweb Cross-Site Request Forgery vulnerability can lead to user email ID being changed

7

CVSS Score
3.0

Basic Information

EPSS Score
0.76934%
Published
9/23/2022
Updated
10/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
rdiffwebpip< 2.4.72.4.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from handling user settings actions without CSRF protections. The pre-patch code in pref_general.py's render_prefs_panel function executed actions like 'set_profile_info' based solely on the 'action' parameter, regardless of HTTP method. The fix added a critical cherrypy.request.method == 'POST' check, indicating the original vulnerability allowed non-POST requests to modify user settings. This matches classic CSRF patterns where attackers can forge GET requests to execute privileged actions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

r*i**w*n prior to v*rsion *.*.* is vuln*r**l* to *ross-Sit* R*qu*st *or**ry (*SR*). *n *tt**k*r **n ***n** * us*r's *m*il I*. V*rsion *.*.* **s * *ix *or t*is issu*.

Reasoning

T** vuln*r**ility st*mm** *rom **n*lin* us*r s*ttin*s **tions wit*out *SR* prot**tions. T** pr*-p*t** *o** in pr**_**n*r*l.py's r*n**r_pr**s_p*n*l *un*tion *x**ut** **tions lik* 's*t_pro*il*_in*o' **s** sol*ly on t** '**tion' p*r*m*t*r, r***r*l*ss o*