漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
SkillTree CSRF Vulnerability allows an attacker to modify the Video and Captions of a Skill
Vulnerability Description
SkillTree is a micro-learning gamification platform. Prior to version 2.12.6, the endpoint `/admin/projects/{projectname}/skills/{skillname}/video` (and probably others) is open to a cross-site request forgery (CSRF) vulnerability. Due to the endpoint being CSRFable e.g POST request, supports a content type that can be exploited (multipart file upload), makes a state change and has no CSRF mitigations in place (samesite flag, CSRF token). It is possible to perform a CSRF attack against a logged in admin account, allowing an attacker that can target a logged in admin of Skills Service to modify the videos, captions, and text of the skill. Version 2.12.6 contains a patch for this issue.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
SkillTree 安全漏洞
Vulnerability Description
SkillTree是National Security Agency开源的一个微型学习游戏化平台。提供开箱即用的 UI 可视化、方便的客户端集成库,以及用于管理游戏化培训配置文件的创建和管理的仪表板。 SkillTree 2.12.6之前版本存在安全漏洞,该漏洞源于存在跨站请求伪造(CSRF)漏洞,允许攻击者修改视频、字幕和文本。
CVSS Information
N/A
Vulnerability Type
N/A