CVE-2022-40488 - Multiple Cross-Site Request Forgery on ProcessWire

1. Vulnerability Properties

Title: Multiple Cross-Site Request Forgery on ProcessWire
CVE ID: CVE-2022-40488
CVSSv3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Vendor: ProcessWire
Products: ProcessWire
Advisory Release Date: 06 Apr 2023
Advisory URL: https://labs.integrity.pt/advisories/cve-2022-40488/
Credits: Discovery by Filipe Azevedo (filipaze) <fa[at]integrity.pt> & Guilherme Santos (rondons) <gs[at]integrity.pt>

2. Vulnerability Summary

ProcessWire v3.0.200 was discovered to contain Cross Site Request Forgery in critical functions, allowing a malicious user to create a super admin account.

3. Vulnerable Versions

  • <= 3.0.200

4. Solution

  • Update to version 3.0.206

5. Vulnerability Timeline

  • 09/Sept/22 - Bug reported to ProcessWire
  • 12/Sept/22 - Bug verified by vendor
  • 31/Oct/22 - Bug fixed by vendor
  • 06/Apr/23 - Advisory released

6. References



© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.