usd-2018-0004 | Starface/6.4.3.34


Advisory ID: usd-2018-0004
CVE Number: N/A
Affected Product: Starface
Affected Version: 6.4.3.34
Vulnerability Type: Cross-site request forgery (CSRF)
Security Risk: Medium
Vendor URL: https://www.starface.com
Vendor Status:: Not fixed

Description

In a CSRF attack the attacker can take actions of the web application in behalf of the victim. Therefore the user has to click on a malicious link of the attacker while being logged in to the web application.

Proof of Concept 

The whole Starface application does not make use of any CSRF tokens.
=> PoC will be published when all issues are fixed.

Fix

Make sure that requests which change the state of the application (like add/change user information) have a valid CSRF token.

Credits

The security vulnerabilities were found by Sebastian Puttkammer of usd AG.