SpagoBI Cross-Site Request Forgery Vulnerability in User Administration Panel

A Cross-Site Request Forgery (CSRF) vulnerability exists in SpagoBI version 3.5.1, specifically within the user administration panel. This vulnerability allows an authenticated user to manipulate another user into performing unintended actions, such as adding, editing, or deleting users, while they are logged into the application.

Impact

Exploitation of this vulnerability allows an attacker to trick an admin user into executing a request that creates a new user with specified credentials, which the attacker can then use to log into the application.

Reproduction

To reproduce this vulnerability, create a webpage that includes a request to the SpagoBI server's user management action. This request must be customized with the host, and the desired username and password for the new user. When an admin user visits this page, the request will be sent, and a new user will be created on the platform with the provided credentials.

Remediation

Users are advised to update to the latest version of SpagoBI.