CVE-2024-9847

{"id": "CVE-2024-9847", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.3}]}, "published": "2025-03-20T10:15:50.177", "references": [{"url": "https://github.com/flatpressblog/flatpress/commit/a81c968f51f134b5e5f9bbe208aa12f4fbc329df", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/b30ef7b0-74ea-4cac-adc4-1cc8a5cb559e", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress CMS server to perform the desired action on behalf of the victim user. Since the request is authenticated, the server will process it as if it were initiated by the legitimate user, effectively allowing the attacker to perform unauthorized actions. This vulnerability is fixed in version 1.4.dev."}, {"lang": "es", "value": "La \u00faltima versi\u00f3n de FlatPress CMS es vulnerable a ataques de Cross-Site Request Forgery (CSRF), que permiten a un atacante habilitar o deshabilitar complementos en nombre de un usuario v\u00edctima. El atacante puede manipular un enlace o script malicioso que, al hacer clic en \u00e9l un usuario autenticado, enviar\u00e1 una solicitud al servidor de FlatPress CMS para realizar la acci\u00f3n deseada en nombre del usuario v\u00edctima. Dado que la solicitud est\u00e1 autenticada, el servidor la procesar\u00e1 como si la hubiera iniciado el usuario leg\u00edtimo, lo que permite al atacante realizar acciones no autorizadas. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.4.dev."}], "lastModified": "2025-06-24T14:38:04.610", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:flatpress:flatpress:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA4D125F-CD88-4951-8066-05871F2E4EDD", "versionEndExcluding": "1.4"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}