usd-2018-0004 | Starface/126.96.36.199
Advisory ID: usd-2018-0004
CVE Number: N/A
Affected Product: Starface
Affected Version: 188.8.131.52
Vulnerability Type: Cross-site request forgery (CSRF)
Security Risk: Medium
Vendor URL: https://www.starface.com
Vendor Status:: Not fixed
In a CSRF attack the attacker can take actions of the web application in behalf of the victim. Therefore the user has to click on a malicious link of the attacker while being logged in to the web application.
Proof of Concept
The whole Starface application does not make use of any CSRF tokens.
=> PoC will be published when all issues are fixed.
Make sure that requests which change the state of the application (like add/change user information) have a valid CSRF token.
The security vulnerabilities were found by Sebastian Puttkammer of usd AG.