We found results for “”
WS-2020-0421
Good to know:
Date: October 9, 2020
An attacker can send the CSRF file to the victim or host it on a website. Setting the session expiry in middleware has side effects of doing a session change in every request, which is not desired. It also forces session creation when there is no session needed. The logic is now reverse - the session's default to shorter lifespan, which is used for anonymous sessions, and authenticated ones have separate settings to set their validity which is set on login. The session has to exist at this point and we are changing it just once per session lifetime. Fixed in Weblate 4.3
Language: Python
Severity Score
Severity Score
Weakness Type (CWE)
Cross-Site Request Forgery (CSRF)
CWE-352Top Fix
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | REQUIRED |
Scope (S): | UNCHANGED |
Confidentiality (C): | NONE |
Integrity (I): | NONE |
Availability (A): | LOW |