SynopsisThe remote Crucible server is affected by multiple attack vectors.
DescriptionVersions of Crucible prior to 3.10.0 are affected by multiple vulnerabilities :
- An unspecified flaw may allow an attacker to bypass Cross-Site Request Forgery (CSRF) protection mechanisms and conduct CSRF attacks. No further details have been provided by the vendor.
- A flaw exists as HTTP requests to certain pages do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a CSRF/XSRF attack causing the victim to perform backup actions that may overwrite the existing backup file.
- A flaw exists that is triggered when handling HTTP requests containing newline characters. This may allow a remote attacker to inject forged content into log files.
SolutionUpgrade to Crucible version 3.10.0 or later.