CVE-2023-38885 — HIGH (8.8)

Vulnerability Description

OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state changing request.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Os4Ed	Opensis	9.0

Related Weaknesses (CWE)

CWE-352

References

https://github.com/OS4ED/openSIS-ClassicRelease Notes
https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38885Vendor Advisory
https://www.os4ed.com/Product
https://github.com/OS4ED/openSIS-ClassicRelease Notes
https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38885Vendor Advisory
https://www.os4ed.com/Product

FAQ

What is CVE-2023-38885?

CVE-2023-38885 is a vulnerability with a CVSS score of 8.8 (HIGH). OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any...

How severe is CVE-2023-38885?

CVE-2023-38885 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-38885?

Check the references section above for vendor advisories and patch information. Affected products include: Os4Ed Opensis.