CVE-2018-19335

Name of the Vulnerable Software and Affected Versions Google Monorail versions prior to 2018-06-07

Description The issue allows for Cross-Site Search (XS-Search) due to CSV downloads being affected by CSRF. Calculations of download times, specifically for requests with a crafted groupby value, can be exploited to obtain sensitive information about the content of bug reports.

Recommendations For versions prior to 2018-06-07, update to a version released after 2018-06-07 to resolve the issue. As a temporary workaround, consider restricting access to CSV downloads and limiting the use of the groupby value in requests to minimize the risk of exploitation.