CVE-2020-14989: 
Bloomreach Experience Manager vulnerability analysis and mitigation

An issue was discovered in Bloomreach Experience Manager (brXM) versions 4.1.0 through 14.2.2. The vulnerability, identified as CVE-2020-14989, allows Cross-Site Request Forgery (CSRF) attacks by exploiting a method bypass where attackers can use GET requests where POST was intended (NVD, MITRE).

The vulnerability stems from an implementation flaw where the application assumes form submissions should use the POST method and implements origin header checks accordingly. However, the application fails to properly restrict GET requests, allowing attackers to bypass the origin header verification. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).

When exploited, this vulnerability allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious pages with images that automatically send GET requests to form URLs, potentially leading to unintended actions such as creating accounts or changing passwords when visited by authenticated users (BrXM Advisory).

Bloomreach has released fixes for this vulnerability. Organizations are advised to update to the latest stable version of Bloomreach Experience Manager that was released after October 27th, 2020 (BrXM Advisory).