Vulnerability Description
In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Csrf-Magic Project | Csrf-Magic | < 1.0.4 |
Related Weaknesses (CWE)
References
- http://csrf.htmlpurifier.org/news/2013/0717-1.0.4-releasedRelease NotesVendor Advisory
- http://repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txtRelease NotesThird Party Advisory
- http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11PatchThird Party Advisory
- http://csrf.htmlpurifier.org/news/2013/0717-1.0.4-releasedRelease NotesVendor Advisory
- http://repo.or.cz/csrf-magic.git/blob/HEAD:/NEWS.txtRelease NotesThird Party Advisory
- http://repo.or.cz/csrf-magic.git/commit/9d2537f70d58b16aeba89779aaf1573b8d618e11PatchThird Party Advisory
FAQ
What is CVE-2013-7464?
CVE-2013-7464 is a vulnerability with a CVSS score of 8.8 (HIGH). In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatical...
How severe is CVE-2013-7464?
CVE-2013-7464 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-7464?
Check the references section above for vendor advisories and patch information. Affected products include: Csrf-Magic Project Csrf-Magic.