Description

In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF attacks. This protection mechanism can be bypassed with another user's valid token. Thus, an attacker can change the Admin password by using a CSRF attack and escalate his/her privileges.

Remediation

References

CVE-2020-11818

Related Vulnerabilities

WordPress Plugin bSuite Cross-Site Scripting (4.0.7)

WordPress Plugin Age Verify Cross-Site Scripting (0.2.8)

Django Resource Management Errors Vulnerability (CVE-2015-5964)

Envoy Proxy Use After Free Vulnerability (CVE-2021-43826)

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-9855)

Severity

High

Classification

CVE-2020-11818 CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities