CVE-2024-27632

An attacker can exploit this vulnerability by observing the Unix timestamp when a victim user visits a Savane webpage that generates a form_id. By knowing this timestamp, the attacker can independently generate the same valid CSRF token that was assigned to the victim. This allows the attacker to bypass CSRF checks and execute actions on behalf of the victim, potentially leading to privilege escalation or account takeover [ref_id=1].

The vulnerability lies in the `form_header()` function, specifically where the `form_id` is generated. The code first calls `utils_srand()` and then creates the `form_id` as an MD5 hash of a value generated by PHP's PRNG [ref_id=1]. The `utils_srand()` function seeds the PRNG using the microtime, which returns the Unix timestamp, multiplied by 1,000,000 [ref_id=1].

The advisory does not specify a patch or provide details on how the vulnerability is fixed. Remediation guidance suggests updating to a version that addresses this issue, but specific changes are not detailed.

Visit a Savane webpage that generates a form_id. Note the Unix timestamp that you visited that page. Replace $RECORDED_UNIX_TIME with the time that was recorded and un the following PHP script. Observe that the value generated