漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover
Vulnerability Description
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.
CVSS Information
N/A
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
Easy!Appointments 安全漏洞
Vulnerability Description
Easy!Appointments是Alex Tselegidis个人开发者的一套基于Web的预约、日程管理系统。 Easy!Appointments 1.5.2及之前版本存在安全漏洞,该漏洞源于仅对POST请求强制CSRF检查,可能导致跨站请求伪造攻击,包括管理员账户创建和接管。
CVSS Information
N/A
Vulnerability Type
N/A