PT-2020-10261 · Serpico · Serpico

Published

2020-01-15

Updated

2020-01-17

CVE-2019-19854

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Serpico version 1.3.0

Description The issue concerns the lack of CSRF tokens in Serpico, which makes it rely on the Origin header to mitigate against CSRF attacks. However, this can be problematic when combined with XSS vulnerabilities, as it allows for privilege escalation from User level to Administrator.

Recommendations For Serpico version 1.3.0, consider implementing CSRF tokens to mitigate against CSRF attacks, and address any existing XSS vulnerabilities to prevent privilege escalation. As a temporary workaround, restrict access to sensitive areas of the application to minimize the risk of exploitation.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2019-19854

Affected Products

Serpico

PT-2020-10261 · Serpico · Serpico

CVE-2019-19854

Weakness Enumeration

Related Identifiers

Affected Products

References · 3