GitHub - carsonchan12345/OpenKM-CSRF-PoC

Vulnerability: Cross-Site Request Forgery (CSRF)

Affected Product

OpenKM Community Edition

Affected Version

On or Before 6.3.12

Vulnerable URL

/OpenKM/admin/DatabaseQuery

Description

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in OpenKM Community Edition on or before version 6.3.12. The vulnerability exists in the /admin/DatabaseQuery endpoint, which allows an attacker to manipulate a victim with administrative privileges to execute arbitrary SQL commands.

Attack Vector

An attacker can craft a malicious CSRF payload that, when executed by an administrator, can execute arbitrary SQL commands on the vulnerable system. This can lead to unauthorized data modification, extraction, or destruction.

Impact

Unauthorized data modification
Unauthorized data extraction
Unauthorized data destruction
Elevation of privileges

References

OpenKM Community Edition:
https://www.openkm.com/
https://github.com/openkm/document-management-system
CWE: CWE-352 (Cross-Site Request Forgery)

Name		Name	Last commit message	Last commit date
Latest commit History 7 Commits
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Vulnerability: Cross-Site Request Forgery (CSRF)

Affected Product

Affected Version

Vulnerable URL

Description

Attack Vector

Impact

References

About

Releases

Packages

carsonchan12345/OpenKM-CSRF-PoC

Folders and files

Latest commit

History

Repository files navigation

Vulnerability: Cross-Site Request Forgery (CSRF)

Affected Product

Affected Version

Vulnerable URL

Description

Attack Vector

Impact

References

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Packages