CVE-2024-9847 (GCVE-0-2024-9847)
Vulnerability from cvelistv5
Published
2025-03-20 10:09
Modified
2025-03-20 18:56
Severity ?
8.0 (High) - CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress CMS server to perform the desired action on behalf of the victim user. Since the request is authenticated, the server will process it as if it were initiated by the legitimate user, effectively allowing the attacker to perform unauthorized actions. This vulnerability is fixed in version 1.4.dev.
References
Impacted products
Vendor Product Version
flatpressblog flatpressblog/flatpress Version: unspecified   < 1.4.dev
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9847",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T17:50:32.386237Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T18:56:24.410Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "flatpressblog/flatpress",
          "vendor": "flatpressblog",
          "versions": [
            {
              "lessThan": "1.4.dev",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress CMS server to perform the desired action on behalf of the victim user. Since the request is authenticated, the server will process it as if it were initiated by the legitimate user, effectively allowing the attacker to perform unauthorized actions. This vulnerability is fixed in version 1.4.dev."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-20T10:09:19.509Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/b30ef7b0-74ea-4cac-adc4-1cc8a5cb559e"
        },
        {
          "url": "https://github.com/flatpressblog/flatpress/commit/a81c968f51f134b5e5f9bbe208aa12f4fbc329df"
        }
      ],
      "source": {
        "advisory": "b30ef7b0-74ea-4cac-adc4-1cc8a5cb559e",
        "discovery": "EXTERNAL"
      },
      "title": "Cross-Site Request Forgery (CSRF) in flatpressblog/flatpress"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-9847",
    "datePublished": "2025-03-20T10:09:19.509Z",
    "dateReserved": "2024-10-10T21:14:30.955Z",
    "dateUpdated": "2025-03-20T18:56:24.410Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-9847\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2025-03-20T10:15:50.177\",\"lastModified\":\"2025-03-20T10:15:50.177\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress CMS server to perform the desired action on behalf of the victim user. Since the request is authenticated, the server will process it as if it were initiated by the legitimate user, effectively allowing the attacker to perform unauthorized actions. This vulnerability is fixed in version 1.4.dev.\"},{\"lang\":\"es\",\"value\":\"La \u00faltima versi\u00f3n de FlatPress CMS es vulnerable a ataques de Cross-Site Request Forgery (CSRF), que permiten a un atacante habilitar o deshabilitar complementos en nombre de un usuario v\u00edctima. El atacante puede manipular un enlace o script malicioso que, al hacer clic en \u00e9l un usuario autenticado, enviar\u00e1 una solicitud al servidor de FlatPress CMS para realizar la acci\u00f3n deseada en nombre del usuario v\u00edctima. Dado que la solicitud est\u00e1 autenticada, el servidor la procesar\u00e1 como si la hubiera iniciado el usuario leg\u00edtimo, lo que permite al atacante realizar acciones no autorizadas. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.4.dev.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"references\":[{\"url\":\"https://github.com/flatpressblog/flatpress/commit/a81c968f51f134b5e5f9bbe208aa12f4fbc329df\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://huntr.com/bounties/b30ef7b0-74ea-4cac-adc4-1cc8a5cb559e\",\"source\":\"security@huntr.dev\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-9847\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-20T17:50:32.386237Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-20T17:50:34.267Z\"}}], \"cna\": {\"title\": \"Cross-Site Request Forgery (CSRF) in flatpressblog/flatpress\", \"source\": {\"advisory\": \"b30ef7b0-74ea-4cac-adc4-1cc8a5cb559e\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"CHANGED\", \"version\": \"3.0\", \"baseScore\": 8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"flatpressblog\", \"product\": \"flatpressblog/flatpress\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"1.4.dev\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://huntr.com/bounties/b30ef7b0-74ea-4cac-adc4-1cc8a5cb559e\"}, {\"url\": \"https://github.com/flatpressblog/flatpress/commit/a81c968f51f134b5e5f9bbe208aa12f4fbc329df\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress CMS server to perform the desired action on behalf of the victim user. Since the request is authenticated, the server will process it as if it were initiated by the legitimate user, effectively allowing the attacker to perform unauthorized actions. This vulnerability is fixed in version 1.4.dev.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352 Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"shortName\": \"@huntr_ai\", \"dateUpdated\": \"2025-03-20T10:09:19.509Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-9847\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-20T18:56:24.410Z\", \"dateReserved\": \"2024-10-10T21:14:30.955Z\", \"assignerOrgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"datePublished\": \"2025-03-20T10:09:19.509Z\", \"assignerShortName\": \"@huntr_ai\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.