Egor Uvarov

**Name of the Vulnerable Software and Affected Versions** FreeIPA versions all supported versions **Description** A Cross-site request forgery vulnerability exists in the "ipa/session/login password" endpoint, allowing an attacker to trick the user into submitting a request that could perform actions as the user. This results in a loss of confidentiality and system integrity. The vulnerability was discovered during community penetration testing, where it was found that FreeIPA does not ensure CSRF protection for certain HTTP endpoints. Due to implementation details, an attacker cannot use this flaw to reflect a cookie representing an already logged-in user and would always have to go through a new authentication attempt. **Recommendations** As a temporary workaround, consider disabling the `login password` component until a patch is available. Restrict access to the "ipa/session/login password" endpoint to minimize the risk of exploitation. Avoid using the `login password` functionality in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.