CVE-2019-9580

MEDIUM

StackStorm Web UI <2.9.3, <2.10.3 - CSRF

Title source: llm

Description

In st2web in StackStorm Web UI before 2.9.3 and 2.10.x before 2.10.3, it is possible to bypass the CORS protection mechanism via a "null" origin value, potentially leading to XSS.

Exploits (1)

nomisec WORKING POC 31 stars

by mpgn · poc

https://github.com/mpgn/CVE-2019-9580

View Code ZIP pw:eip

References (3)

Core 3

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/StackStorm/st2/releases/tag/v2.9.3

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/StackStorm/st2/releases/tag/v2.10.3

Vendor Advisory x_refsource_misc

https://stackstorm.com/2019/03/08/stackstorm-2-9-3-2-10-3/

Scores

CVSS v3 6.1

EPSS 0.1037

EPSS Percentile 93.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

stackstorm/stackstorm < 2.9.3

Published Mar 09, 2019

Tracked Since Feb 18, 2026