PT-2017-16418 · Rapid7 · Metasploit

Mohamed A. Baset

Published

2017-06-15

Updated

2019-10-09

CVE-2017-5244

CVSS v2.0

3.5

Low

Vector

AV:N/AC:M/Au:S/C:N/I:N/A:P

Name of the Vulnerable Software and Affected Versions Metasploit versions prior to 4.14.0 (Update 2017061301)

Description A security issue allowed GET requests to stop running tasks, which should only be allowed via POST requests, as these actions change the service state. This could have enabled an attacker to stop running tasks by tricking an authenticated user into executing JavaScript.

Recommendations For versions prior to 4.14.0 (Update 2017061301), update to Metasploit 4.14.0 (Update 2017061301) to ensure that only POST requests, which include a secret token to prevent CSRF attacks, are allowed to stop tasks.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2017-5244

Affected Products

Metasploit

PT-2017-16418 · Rapid7 · Metasploit

CVE-2017-5244

Weakness Enumeration

Related Identifiers

Affected Products

References · 5