Home > Vulnerability Database > WS-2022-0351

Mend.io Vulnerability Database

WS-2022-0351

Date: September 4, 2022

In outline/outline, an incorrect API design lead to Site wide CSRF. By design, the api body only accepts is json values. But sending non-json values is also possible, beside, api accept auth from accessToken in Cookie. All of that leads to many other consequences, typically CSRF.

Language: TYPE_SCRIPT

Severity Score

9.8

Related Resources (2)

Url: https://github.com/outline/outline/commit/89a133ea59f42ec23aec9a98fb3f852562e61f41

Url: https://www.mend.io/vulnerability-database/WS-2022-0351

Severity Score

9.8

Weakness Type (CWE)

Undefined Behavior for Input to API

CWE-475

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2022-0351

Date: September 4, 2022

Language: TYPE_SCRIPT

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?