CVE-2023-40021
CVSS 3.1 Score 5.3 of 10 (medium)
Details
Summary
CVE-2023-4021: A timing attack vulnerability was discovered in Oppia's CSRF token validation mechanism. The platform's CsrfTokenManager incorrectly uses string equality (`==`) for token comparison, allowing an attacker to recover the expected token character by character through repeated submission of invalid tokens. Once obtained, the attacker can perform privileged actions on behalf of a logged-in user, including profile modifications and exploration management, before the token changes again. No known workarounds exist, and users are advised to upgrade to release 3.3.2-hotfix-2, which includes the necessary patch.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Oppia
Affected Vendors
- Oppia