CVE-2020-28191 – org.togglz:togglz-console

Package

Manager: maven
Name: org.togglz:togglz-console
Vulnerable Version: >=0 <2.9.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00076 pctl0.23362

Details

Togglz console missing cross-site request forgery (CSRF) protection Togglz is an implementation of the Feature Toggles pattern for Java. There is no CSRF protection in the togglz console and could allow an attacker to guess the CSRF token value. Version 2.9.4 adds the necessary CSRF protection.

Metadata

Created: 2022-07-15T20:55:21Z
Modified: 2025-04-14T22:10:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-697v-pxg3-j262/GHSA-697v-pxg3-j262.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-697v-pxg3-j262
Finding: F007
Auto approve: 1