CVE-2024-39326

Name of the Vulnerable Software and Affected Versions SkillTree versions prior to 2.12.6

Description The issue concerns a cross-site request forgery (CSRF) vulnerability in the /admin/projects/{projectname}/skills/{skillname}/video endpoint, which is open to exploitation due to the lack of CSRF mitigations, such as a same-site flag or CSRF token. This allows an attacker to perform a CSRF attack against a logged-in admin account, enabling them to modify videos, captions, and text of skills.

Recommendations For versions prior to 2.12.6, update to version 2.12.6 to resolve the issue. As a temporary workaround, consider restricting access to the /admin/projects/{projectname}/skills/{skillname}/video endpoint until the update is applied.