vendor:
perfSONAR
by:
Ryan Moore
4.3
CVSS
MEDIUM
Partial Blind CSRF
352
CWE
Product Name: perfSONAR
Affected Version From: v4.x
Affected Version To: v4.4.5
Patch Exists: YES
Related CWE: CVE-2022-41413
CPE: perfsonar
Platforms Tested:
2022
perfSONAR v4.4.5 – Partial Blind CSRF
A partial blind CSRF vulnerability exists in perfSONAR v4.x <= v4.4.5 within the /perfsonar-graphs/ test results page. Parameters and values can be injected/passed via the URL parameter, forcing the client to connect unknowingly in the background to other sites via transparent XMLHTTPRequests. This partial blind CSRF bypasses the built-in whitelisting function in perfSONAR.
Mitigation:
This vulnerability was patched in perfSONAR v4.4.6.