CVE-2020-24983

HIGH

Quadbase EspressReports ES 7 Update 9 - Unauthenticated Cross-Site Request Forgery via DashboardBuilder

Title source: llm
STIX 2.1

Description

An issue was discovered in Quadbase EspressReports ES 7 Update 9. An unauthenticated attacker can create a malicious HTML file that houses a POST request made to the DashboardBuilder within the target web application. This request will utilise the target admin session and perform the authenticated request (to change the Dashboard name) as if the victim had done so themselves, aka CSRF.

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://c41nc.co.uk/cve-2020-24983/

Scores

CVSS v3 8.8
EPSS 0.0064
EPSS Percentile 46.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
quadbase/espressreports_es 7 update_9
Published Mar 11, 2021
Tracked Since Feb 18, 2026