CVE-2013-7259 — Neo4J vulnerable to Cross-Site Request Forgery

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Neo4J 1.9.2 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary code, as demonstrated by a request to (1) db/data/ext/GremlinPlugin/graphdb/execute_script or (2) db/manage/server/console/.

How to fix CVE-2013-7259

To remediate CVE-2013-7259, upgrade the affected package to a fixed version below.

Maven/org.neo4j:neo4j—upgrade to 2.2.0-M01 or later

Is CVE-2013-7259 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.2.0-M01

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-7259
PATCHgithub.com/neo4j/neo4j
WEBgithub.com/neo4j/neo4j/commit/40ad76078a25666d8b218772b6491fb443020df9
WEBgithub.com/neo4j/neo4j/issues/2826
WEB