Home
MEDIUM: 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NDefault status
affected
Any version before 6233d73e
affected
Description
Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.
Problem types
CWE-352 Cross-Site request forgery (CSRF)
Product status
Any version before 6233d73e
References
github.com/simplcommerce/SimplCommerce/pull/1150
github.com/...ommit/6233d73e134c887fc3f3308d20710bec096d45e3