CVE-2022-2986 Enabling and disabling installed H5P libraries failed to protect from CSRF risk.

As a result, it was possible to trick a vulnerable website into installing a malicious H5P library. Malicious actors could craft a CSRF attack that would execute code against any site that had the vulnerable H5P library installed.

In addition to the danger of H5P libraries being installed without user consent, they also come with a security risk. The H5P specification allows for the inclusion of any file type, which opens up the possibility of a malicious file being loaded into a H5P library. The inclusion of a malicious file into a H5P library would allow for the execution of code on any site that included the vulnerable H5P library.

H5P Specification

The H5P specification was created to allow for the inclusion of any file type into a library. The danger of this is that it allows for malicious files that exploit vulnerabilities in software to be included without the user’s knowledge.

Security risk: If a malicious H5P library is installed on your website, hackers could exploit vulnerabilities in website software and execute code against the website from a remote location.

Timeline

Published on: 10/06/2022 18:16:00 UTC
Last modified on: 11/10/2022 04:22:00 UTC

References