Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2016-006: Missing CSRF protection in login form

Severity:
Low (?)
Identifier:
SS-2016-006
Versions Affected:
3.1.18, 3.2.3, 3.3.1
Versions Fixed:
3.1.19, 3.2.4, 3.3.2
Release Date:
2016-05-11

LoginForm calls disableSecurityToken(), which causes a "shared host domain" vulnerability: http://stackoverflow.com/a/15350123.

Credit: Anthony Thorpe