PT-2022-16324 · Rainworx · Auctionworx: Events Edition+1

Published

2022-05-02

Updated

2022-05-10

CVE-2022-23904

CVSS v3.1

8.0

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Rainworx Auctionworx versions prior to 3.1R2

Description The issue allows an authenticated user to perform a Cross-Site Request Forgery (CSRF) attack, which can upgrade the user's account to admin and provide access to the auctionworx admin control panel. This affects AuctionWorx Enterprise and AuctionWorx: Events Edition.

Recommendations For versions prior to 3.1R2, update to version 3.1R2 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin control panel to minimize the risk of exploitation.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2022-23904

Affected Products

Auctionworx Enterprise

Auctionworx: Events Edition

PT-2022-16324 · Rainworx · Auctionworx: Events Edition+1

CVE-2022-23904

Weakness Enumeration

Related Identifiers

Affected Products

References · 5