CVE-2019-17590

Name of the Vulnerable Software and Affected Versions CSRF Magic library through 2016-03-27

Description The issue in the CSRF Magic library allows a remote attacker to bypass CSRF protection by tampering with the csrf token values. This can be exploited by crafting a malicious page and dispersing it to a victim via social engineering, enticing them to click the link. However, a third-party maintainer has disputed this, stating that the csrf callback function is a callback to the caller's own handler for output and can be changed via configuration. They claim that an attacker cannot change tokens to make them valid from the client side, and the only possible action is to pull the token out of the javascript, which is always possible and unrelated to the callback.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.