CVE-2018-9856: Kotti CSRF in the local roles implementation

July 12, 2018 (updated September 27, 2024)

Kotti before 1.3.2 and 2.x before 2.0.0b2 has CSRF in the local roles implementation, as demonstrated by triggering a permission change via a /admin-document/@@share request.

References

github.com/Kotti/Kotti
github.com/Kotti/Kotti/commit/69d3c8a5d7203ddaec5ced5901acf87baddd76be
github.com/Kotti/Kotti/issues/551
github.com/advisories/GHSA-3hq4-f2v6-q338
github.com/pypa/advisory-database/tree/main/vulns/kotti/PYSEC-2018-10.yaml
nvd.nist.gov/vuln/detail/CVE-2018-9856

Detect and mitigate CVE-2018-9856 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →