CVE-2023-6671 - OpenCVE

A vulnerability has been discovered on OJS, that consists in a CSRF (Cross-Site Request Forgery) attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Openjournalsystems	Open Journal Systems

Configuration 1 [-]

cpe:2.3:a:openjournalsystems:open_journal_systems:3.3.0.13:*:*:*:*:*:*:*

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-request-forgery-open-journal-systems	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-12-11T13:53:59.380Z

Updated: 2023-12-11T13:53:59.380Z

Reserved: 2023-12-11T08:33:43.156Z

Link: CVE-2023-6671

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-11T14:15:32.150

Modified: 2023-12-13T20:26:53.753

Link: CVE-2023-6671

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-6671", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-12-11T08:33:43.156Z", "datePublished": "2023-12-11T13:53:59.380Z", "dateUpdated": "2023-12-11T13:53:59.380Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OPEN JOURNAL SYSTEMS", "vendor": "OPEN JOURNAL SYSTEMS", "versions": [{"status": "affected", "version": "3.3.0.13"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David C\u00e1mara Galindo"}], "datePublic": "2023-12-11T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability has been discovered on OJS, that consists in a CSRF (Cross-Site Request Forgery) attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated."}], "value": "A vulnerability has been discovered on OJS, that consists in a CSRF (Cross-Site Request Forgery) attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-12-11T13:53:59.380Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-request-forgery-open-journal-systems"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "There is no reported solution at this time."}], "value": "There is no reported solution at this time."}], "source": {"discovery": "EXTERNAL"}, "title": "Cross-Site Request Forgery on OPEN JOURNAL SYSTEMS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}