PT-2019-11270 · Taoensso · Taoensso Sente

Published

2019-02-04

Updated

2019-02-20

CVE-2019-1000022

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Taoensso Sente versions prior to 1.14.0

Description: The issue is related to a Cross Site Request Forgery (CSRF) vulnerability in the WebSocket handshake endpoint. This can result in a CSRF attack and a possible leak of the anti-CSRF token. The attack is exploitable via a malicious request against the WebSocket handshake endpoint.

Recommendations: For versions prior to 1.14.0, update to version 1.14.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the WebSocket handshake endpoint until the update is applied.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2019-1000022

Affected Products

Taoensso Sente

PT-2019-11270 · Taoensso · Taoensso Sente

CVE-2019-1000022

Weakness Enumeration

Related Identifiers

Affected Products

References · 3