Mirumee Saleor 2.7.0 Cross-Site Request Forgery (CSRF) Vulnerability

Summary

In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server.

Credit:

The information has been provided by Vendor

 

The original article can be found at:

https://github.com/mirumee/saleor/releases/tag/2.8.0


Details

An attacker could therefore send a request without the valid CSRF token, and the server would accept it.

 

Vulnerable Systems:

Mirumee Saleor 2.7.0

CVE Information:

CVE-2019-13594

 

Disclosure Timeline:
Published Date:07/16/2019