Birkir Prime Cross-Site Request Forgery Vulnerability
Vulnerability
A cross-site request forgery (CSRF) vulnerability has been identified in Birkir Prime versions through 0.4.0.beta.0. This issue arises from the application's GraphQL implementation, which allows GET method queries by default. As a result, attackers could exploit this vulnerability to perform CSRF attacks against users with elevated privileges. The vulnerability can be exploited remotely, without the need for authentication, although it does require some form of user interaction.
Impact
Exploitation of this vulnerability allows for cross-site request forgery, where an attacker can trick a user into performing actions they did not intend to, potentially leading to unauthorized changes or actions within the application.
Reproduction
To reproduce this vulnerability, send a GET request to the application's GraphQL endpoint with a query. The request can be made using a tool like curl, including headers to mimic a legitimate user agent. This will initiate a CSRF attack against the targeted user.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.