Joebeeton

**Name of the Vulnerable Software and Affected Versions** SkillTree versions prior to 2.12.6 **Description** The issue concerns a cross-site request forgery (CSRF) vulnerability in the `/admin/projects/{projectname}/skills/{skillname}/video` endpoint, which is open to exploitation due to the lack of CSRF mitigations, such as a same-site flag or CSRF token. This allows an attacker to perform a CSRF attack against a logged-in admin account, enabling them to modify videos, captions, and text of skills. **Recommendations** For versions prior to 2.12.6, update to version 2.12.6 to resolve the issue. As a temporary workaround, consider restricting access to the `/admin/projects/{projectname}/skills/{skillname}/video` endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Togglz versions prior to 2.9.4 **Description** The issue concerns the lack of CSRF protection in the Togglz console, which could allow an attacker to guess the CSRF token value. This lack of protection makes the console susceptible to Cross-Site Request Forgery attacks. **Recommendations** For versions prior to 2.9.4, update to version 2.9.4 or later, which adds the necessary CSRF protection to the Togglz console.