Missing permission checks in Micro Focus Application Automation Tools Plugin
Moderate severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Dec 19, 2023
Package
Affected versions
<= 6.7
Patched versions
7.2.3-beta
Description
Published by the National Vulnerability Database
Apr 8, 2021
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Dec 13, 2022
Last updated
Dec 19, 2023
Credits
-
NotMyFault Analyst
Micro Focus Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to attacker-specified URLs using attacker-specified username and password.
Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Micro Focus Application Automation Tools Plugin 6.8 requires POST requests and Overall/Administer permission for the affected form validation methods.
References