Fix for CVE-2024-7106 - Cross-Site Request Forgery?

Question

Fix for CVE-2024-7106 - Cross-Site Request Forgery?

Closed this issue 9 days ago · 8 comments

Hello

Is there a fix available (or planned) for CVE-2024-7106?

A vulnerability classified as problematic was found in Spina CMS 2.18.0. Affected by this vulnerability is an unknown functionality of the file /admin/media_folders. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272431. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

At the moment Bundler Audit is recommending we "remove or disable this gem until a patch is available", which isn't much of a long-term solution!

Many thanks

Bramjetten commented 3 months ago

Agreed!

Answer 1 · 2024-09-02T14:42:24.000Z

No.

The "bug" they submitted is only tested on the live demo website and is caused by the live demo not having any authentication or authorization. Which is of course purposefully disabled for demo purposes...

This is not present in the Spina gem and has nothing to do with it. I've been unable to have this CVE removed. I have also never been contacted by the individual that published this CVE. It's a scam sadly.

I'm planning on re-adding password authentication to our live demo site and releasing a new version of the Spina gem just to clear this up.

Answer 2 · 2024-09-02T14:49:20.000Z

Thank you for the rapid response, and the context missing from the official CVE pages.

We use automated tooling to make sure we're addressing vulnerabilities (real or imagined!) so it is great to hear that there's a straightforward solution to this.

Please could this issue stay open until the new version is released?

Answer 3 · 2024-11-07T00:52:40.000Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Answer 4 · 2024-11-18T08:13:15.000Z

Please can this be re-opened until the CVE is resolved?

Answer 5 · 2024-11-18T08:29:53.000Z

This CVE does not apply to the Spina gem, it's garbage. I don't know how to prevent someone from submitting this.

Answer 6 · 2024-11-18T08:42:39.000Z

I totally agree with your earlier assessment, but you also proposed a simple workaround:

make the demo more representative of an actual installation by not bypassing the login
put the demo creds on the website/README?
release a new 2.19 version so the CVE can suggest people upgrade

Many thanks!

Answer 7 · 2024-11-18T09:12:22.000Z

I deleted the live demo and opened a PR for v2.19: #1394