CVE-2026-61502
Gravedad CVSS v4.0:
MEDIA
Tipo:
CWE-352
Falsificación de petición en sitios cruzados (Cross-Site Request Forgery)
Fecha de publicación:
13/07/2026
Última modificación:
13/07/2026
Descripción
*** Pendiente de traducción *** Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. A remote attacker can perform administrative actions including account creation and configuration changes leading to code execution - by causing a logged-in administrator's browser to navigate to a crafted URL, or without any credentials against default installations when the attack originates from the server's own machine.
Impacto
Puntuación base 4.0
5.10
Gravedad 4.0
MEDIA
Puntuación base 3.x
4.30
Gravedad 3.x
MEDIA



