Research from Contrast Security has unveiled a potential vulnerability within a training platform called SkillTree. This training platform is maintained on GitHub by the NSA.
GitHub has been used by malicious actors as an open-source development platform to house malware. For this reason, researchers aimed to uncover and understand security vulnerabilities in popular GitHub repositories.
Through the research, it was discovered that a cross-site request forgery (CSRF) vulnerability existed within SkillTree. This vulnerability provides a malicious actor with the ability to target a logged-in SkillTree’s Skills Service administrator to alter videos, text and captions. This vulnerability was designated CVE-2024-39326 and is rated moderate. The maintainers have been informed of the vulnerability and a patched version has been publicly released.
Researchers assert that this vulnerability existed due to a lack of CSRF protections within the SkillTree application.