CSRF in the anti-csrf decorator in xunfeng 0.2.0 allows an attacker to modify the configuration via a Flash file because views/lib/AntiCSRF.py can overwrite the request.host value with the content of the X-Forwarded-Host HTTP header.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xunfeng_project | xunfeng | 0.2.0 |
xunfeng 0.2.0 allows command execution via CSRF because masscan.py mishandles backquote characters, a related issue to CVE-2018-16832.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xunfeng_project | xunfeng | 0.2.0 |