Impact
Before version 1.7.10, an attacker is able to make arbitrary changes to many components including issues, comments, files, users, and groups via a CSRF attack. This includes all administrative actions if the targeted user is an administrator.
Patches
Phproject 1.7.10 includes new CSRF protection on all web-based POST requests that prevents this type of attack.
Workarounds
None. This update should be non-breaking for typical use, so it is strongly recommended to install the 1.7.10 update to fix the issue.
References
Related disclosures
For more information
If you have any questions or comments about this advisory:
Impact
Before version 1.7.10, an attacker is able to make arbitrary changes to many components including issues, comments, files, users, and groups via a CSRF attack. This includes all administrative actions if the targeted user is an administrator.
Patches
Phproject 1.7.10 includes new CSRF protection on all web-based POST requests that prevents this type of attack.
Workarounds
None. This update should be non-breaking for typical use, so it is strongly recommended to install the 1.7.10 update to fix the issue.
References
Related disclosures
For more information
If you have any questions or comments about this advisory: