Enterprise Linux For Power Little Endian Eus
CVE-2023-5455
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
AnalysisAI
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA.
Technical ContextAI
Cross-Site Request Forgery forces authenticated users to perform unintended actions by tricking their browser into sending forged requests. This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352).
RemediationAI
Implement anti-CSRF tokens for all state-changing operations. Use SameSite cookie attribute. Verify the Origin/Referer header on the server side.
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it
A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), t
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. Rated critical severity (CVSS 9.8),
Stack-based buffer overflow in libxml2's xmlBuildQName function allows remote unauthenticated attackers to crash affecte
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user.4.4
A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with
Server-to-client path traversal in rsync lets a malicious or compromised rsync server write files outside the client's i
A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. Rated high severity (CVSS 7.8)
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privilege
Heap-based buffer overflow in GLib's g_escape_uri_string() function allows local attackers to achieve high-integrity and
A flaw was found in Yelp. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today