python-engineio Origin Header Cross-Site WebSocket Hijacking Vulnerability [CVE-2019-13611]
CVE number – CVE-2019-13611
A vulnerability in python-engineio could allow an unauthenticated, remote attacker to conduct a cross-site websocket hijacking (CSWSH) attack on a targeted system.
The vulnerability exists because the affected software does not restrict the Origin header. An attacker could exploit this vulnerability by persuading a user to access a link that submits malicious input to the targeted system. A successful exploit could allow the attacker to initiate a websocket connection to the system by using the targeted user’s credentials.The vendor has confirmed the vulnerability; however, software updates are not available.
Analysis
- To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to access a link that submits malicious input to the targeted system.
Vendor Announcements
- The vendor has released an issue report at the following link: Issue #128
Fixed Software
- At the time this alert was first published, the vendor had not released software updates.
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.