CVE number – CVE-2019-13611
A vulnerability in python-engineio could allow an unauthenticated, remote attacker to conduct a cross-site websocket hijacking (CSWSH) attack on a targeted system.
The vulnerability exists because the affected software does not restrict the Origin header. An attacker could exploit this vulnerability by persuading a user to access a link that submits malicious input to the targeted system. A successful exploit could allow the attacker to initiate a websocket connection to the system by using the targeted user’s credentials.The vendor has confirmed the vulnerability; however, software updates are not available.
- To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to access a link that submits malicious input to the targeted system.
- The vendor has released an issue report at the following link: Issue #128
- At the time this alert was first published, the vendor had not released software updates.