CVE-2020-15259
Summary
| CVE | CVE-2020-15259 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-11-06 20:15:00 UTC |
| Updated | 2020-11-18 21:16:00 UTC |
| Description | ad-ldap-connector's admin panel before version 5.0.13 does not provide csrf protection, which when exploited may result in remote code execution or confidential data loss. CSRF exploits may occur if the user visits a malicious page containing CSRF payload on the same machine that has access to the ad-ldap-connector admin console via a browser. You may be affected if you use the admin console included with ad-ldap-connector versions <=5.0.12. If you do not have ad-ldap-connector admin console enabled or do not visit any other public URL while on the machine it is installed on, you are not affected. The issue is fixed in version 5.0.13. |
Risk And Classification
Problem Types: CWE-352
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Auth0 | Ad/ldap Connector | All | All | All | All |
| Application | Auth0 | Ad/ldap Connector | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| ad-ldap-connector admin console vulnerable to CSRF attack · Advisory · auth0/ad-ldap-connector · GitHub | CONFIRM | github.com | Third Party Advisory |
| Merge pull request from GHSA-vx5q-cp9v-427v · auth0/ad-ldap-connector@8b79363 · GitHub | MISC | github.com | Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.