Description

Cross site request forgery in Kiteworks OwnCloud allows an unauthenticated attacker to forge requests. If a request has no Authorization header, it is created with an empty string as value by a rewrite rule. The CSRF check is done by comparing the header value to null, meaning that the existing CSRF check is bypassed in this case. An attacker can, for example, create a new administrator account if the request is executed in the browser of an authenticated victim.

INFO

Published Date :

2024-10-01T12:34:10.481Z

Last Modified :

2024-10-01T13:16:05.468Z

Source :

cirosec
AFFECTED PRODUCTS

The following products are affected by CVE-2023-7273 vulnerability.

Vendors Products
Kiteworks
  • Owncloud
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2023-7273.

URL Resource
https://cirosec.de/sa/sa-2023-012 cve-icon cve-icon
https://hackerone.com/reports/2041007 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact