Fix for CVE-2024-7106 - Cross-Site Request Forgery?

[barrywoolgar]

Hello

Is there a fix available (or planned) for CVE-2024-7106?

A vulnerability classified as problematic was found in Spina CMS 2.18.0. Affected by this vulnerability is an unknown functionality of the file /admin/media_folders. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272431. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

At the moment Bundler Audit is recommending we "remove or disable this gem until a patch is available", which isn't much of a long-term solution!

Many thanks

[Bramjetten]

No.

The "bug" they submitted is only tested on the live demo website and is caused by the live demo not having any authentication or authorization. Which is of course purposefully disabled for demo purposes...

This is not present in the Spina gem and has nothing to do with it. I've been unable to have this CVE removed. I have also never been contacted by the individual that published this CVE. It's a scam sadly.

I'm planning on re-adding password authentication to our live demo site and releasing a new version of the Spina gem just to clear this up.

[barrywoolgar]

Thank you for the rapid response, and the context missing from the official CVE pages.

We use automated tooling to make sure we're addressing vulnerabilities (real or imagined!) so it is great to hear that there's a straightforward solution to this.

Please could this issue stay open until the new version is released?

[Bramjetten]

Agreed!