VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 8, 2024· Updated Aug 28, 2024

CVE-2024-27631

CVE-2024-27631

Description

Cross Site Request Forgery vulnerability in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via siteadmin/usergroup.php

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • GNU/Savanedescription
  • GNU/Savanellm-fuzzy
    Range: <=3.12

Patches

Vulnerability mechanics

Root cause

"Missing CSRF protection on administrative endpoints allows an attacker to forge state-changing requests in an authenticated admin's session."

Attack vector

An attacker crafts a malicious HTML page that auto-submits a POST request to `/siteadmin/user_changepw.php` with parameters for a new password and a victim's user ID. The attacker hosts this page and sends the link to an authenticated administrator who is in superuser mode. When the admin visits the page, the forged request executes in their session, changing the victim's password and enabling the attacker to take over the victim's account [ref_id=1].

Affected code

The vulnerable endpoint is `/siteadmin/usergroup.php` (and related administrative pages such as `/siteadmin/user_changepw.php`). These pages lack CSRF protection, allowing an attacker to forge requests that change user passwords or administrative flags [ref_id=1].

What the fix does

The advisory does not include a patch or specific remediation guidance beyond identifying the lack of CSRF protection. To fix the vulnerability, the application should implement anti-CSRF tokens on all state-changing administrative forms, including `/siteadmin/usergroup.php` and the other listed endpoints, so that requests cannot be forged without a valid, session-bound token [ref_id=1].

Preconditions

  • inputThe attacker must know the victim's user ID (obtainable from the victim's profile page).
  • authA Savane administrator must be logged in and in superuser mode.
  • networkThe administrator must visit a page controlled by the attacker (e.g., via a social engineering link).

Reproduction

1. Identify a victim user and note their userID from their profile page (`/users/

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.