What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in IP2Location IP2Location Variables ip2location-variables allows Reflected XSS.This issue affects IP2Location Variables: from n/a through <= 2.9.5.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
What the vulnerability does
Cross-Site Request Forgery (CSRF) vulnerability in IP2Location IP2Location Variables ip2location-variables allows Reflected XSS.This issue affects IP2Location Variables: from n/a through <= 2.9.5.
Explanation of Vulnerability in Simple Terms
IP2Location Variables versions 2.9.5 and earlier are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious link or webpage that, when visited by a logged-in administrator, performs unwanted actions on the site without their knowledge. The vulnerability affects confidentiality, integrity, and availability with low impact. Administrators should update to a version newer than 2.9.5.
What an attacker can do
Trick a logged-in admin into performing unwanted actions via a malicious link or webpage.
Potential impact on your site
An attacker can modify site settings or data if an admin clicks a malicious link while logged in.
Conditions required to exploit
Admin must visit attacker-controlled page while logged into the site; no special privileges required.
Key dates
External resources