CVE-2020-24983

March 19, 2021

An issue was discovered in Quadbase EspressReports ES 7 Update 9. An unauthenticated attacker can create a malicious HTML file that houses a POST request made to the DashboardBuilder within the target web application. This request will utilise the target admin session and perform the authenticated request (to change the Dashboard name) as if the victim had done so themselves, aka CSRF.

Summary:

An issue was discovered in Quadbase EspressReports ES 7 Update 9. An unauthenticated attacker can create a malicious HTML file that houses a POST request made to the DashboardBuilder within the target web application. This request will utilise the target admin session and perform the authenticated request (to change the Dashboard name) as if the victim had done so themselves, aka CSRF.

Reference Links(if available):

  • https://c41nc.co.uk/cve-2020-24983/

  • CVSS Score (if available)

    v2: / HIGH

    v3: /

    Links to Exploits(if available)

  • Tags: , , , ,

    You may have missed

    CISA Logo

    CISA: CISA Adds One Known Exploited Vulnerability to Catalog

    May 8, 2024
    CISA Logo

    CISA: CISA Releases Eight Industrial Control Systems Advisories

    May 8, 2024
    CISA Logo

    CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog

    May 8, 2024
    CISA Logo

    CISA: CERT/CC Reports R Programming Language Vulnerability

    May 8, 2024
    CISA Logo

    CISA: CISA Releases Three Industrial Control Systems Advisories

    May 8, 2024