CVE-2021-45886

Name of the Vulnerable Software and Affected Versions PONTON X/P Messenger versions prior to 3.11.2

Description An issue was discovered where anti-CSRF tokens are globally valid, making the web application vulnerable to a weakened version of CSRF. This allows an arbitrary token of a low-privileged user, such as an operator, to be used to confirm actions of higher-privileged ones, such as xpadmin.

Recommendations For versions prior to 3.11.2, update to version 3.11.2 or later to resolve the issue. As a temporary workaround, consider restricting access to higher-privileged actions to minimize the risk of exploitation.