CVE-2023-4959 MEDIUM

CVE-2023-4959: Quay: cross-site request forgery (csrf) on config-editor page

Vendor Red Hat
Product Red Hat Quay 3
Weakness CWE-352 · CSRF
Published September 15, 2023
Last update November 7, 2025
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A flaw was found in Quay. Cross-site request forgery (CSRF) attacks force a user to perform unwanted actions in an application. During the pentest, it was detected that the config-editor page is vulnerable to CSRF. The config-editor page is used to configure the Quay instance. By coercing the victim’s browser into sending an attacker-controlled request from another domain, it is possible to reconfigure the Quay instance (including adding users with admin privileges).

Key dates

02Disclosure timeline

September 15, 2023 CVE published
November 7, 2025 Record updated