Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Multiple CSRF Vulnerabilities in Django CRM 0.2.1

Related Vulnerabilities: CVE-2019-11457  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="29"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#30">By Date</a>
<a href="31"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="29"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#30">By Thread</a>
<a href="31"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Multiple CSRF Vulnerabilities in Django CRM 0.2.1</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Daniel Bishtawi &lt;daniel () netsparker com&gt;


<em>Date</em>: Mon, 26 Aug 2019 10:21:40 +0200


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Hello,

We are informing you about the vulnerabilities in Django CRM 0.2.1.

Here are the details:

Information
--------------------
Advisory by Netsparker
Name: Multiple CSRF Vulnerabilities in Django CRM 0.2.1
Affected Software: Django CRM
Affected Versions: 0.2.1
Homepage: <a rel="nofollow" href="https://github.com/MicroPyramid/Django-CRM">https://github.com/MicroPyramid/Django-CRM</a>
Vulnerability: Cross-site Request Forgery
Severity: 8.8 High
Status: Not Fixed
CVE-ID: CVE-2019-11457
CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Netsparker Advisory Reference: NS-19-013

Technical Details
--------------------


   1. /change-password-by-admin/
   URL: <a rel="nofollow" href="http://{domain}/change-password-by-admin/">http://{domain}/change-password-by-admin/</a>
   Form Name: pasteform


   1. /api/settings/add/
   URL: <a rel="nofollow" href="http://{domain}/api/settings/add/">http://{domain}/api/settings/add/</a>
   Form Name: pasteform


   1. /cases/create/
   URL: <a rel="nofollow" href="http://{domain}/cases/create/">http://{domain}/cases/create/</a>
   Form Name: pasteform


   1. /change-password-by-admin/
   URL: <a rel="nofollow" href="http://{domain}/change-password-by-admin/">http://{domain}/change-password-by-admin/</a>
   Form Name: pasteform


   1. /comment/add/
   URL: <a rel="nofollow" href="http://{domain}/comment/add/">http://{domain}/comment/add/</a>
   Form Name: pasteform


   1. /documents/1/view/
   URL: <a rel="nofollow" href="http://{domain}/documents/1/view/">http://{domain}/documents/1/view/</a>
   Form Name: pasteform


   1. /documents/create/
   URL: <a rel="nofollow" href="http://{domain}/documents/create/">http://{domain}/documents/create/</a>
   Form Name: pasteform


   1. /opportunities/create/
   URL: <a rel="nofollow" href="http://{domain}/opportunities/create/">http://{domain}/opportunities/create/</a>
   Form Name: pasteform


   1. /login/
   URL: <a rel="nofollow" href="http://192.168.52.131:8000/login/">http://192.168.52.131:8000/login/</a>


For more information:
<a rel="nofollow" href="https://www.netsparker.com/web-applications-advisories/ns-19-013-csrf-vulnerabilities-in-django-crm/">https://www.netsparker.com/web-applications-advisories/ns-19-013-csrf-vulnerabilities-in-django-crm/</a>

Regards,

Daniel Bishtawi
Marketing Administrator | Netsparker Web Application Security Scanner
Follow us on Twitter &lt;<a rel="nofollow" href="https://twitter.com/netsparker">https://twitter.com/netsparker</a>&gt; | LinkedIn
&lt;<a rel="nofollow" href="https://www.linkedin.com/company/netsparker-ltd">https://www.linkedin.com/company/netsparker-ltd</a>&gt; | Facebook
&lt;<a rel="nofollow" href="https://facebook.com/netsparker">https://facebook.com/netsparker</a>&gt;
&lt;<a rel="nofollow" href="https://www.netsparker.com/blog/events/exhibiting-global-appsec-dc-2019/">https://www.netsparker.com/blog/events/exhibiting-global-appsec-dc-2019/</a>&gt;

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="29"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#30">By Date</a>
<a href="31"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="29"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#30">By Thread</a>
<a href="31"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Multiple CSRF Vulnerabilities in Django CRM 0.2.1</strong> <em>Daniel Bishtawi (Aug 27)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started