Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability: Cross-site Request Forgery (CSRF) to Remote Code Execution (RCE) #512

Closed
MrEmpy opened this issue Oct 17, 2022 · 1 comment

Comments

@MrEmpy
Copy link

MrEmpy commented Oct 17, 2022

KodExplorer 4.49 - Cross-site Request Forgery (CSRF) to Remote Code Execution (RCE)

Summary

KodExplorer version 4.49 or earlier contains a vulnerability that has been rated critical. The vulnerability allows a malicious user to trick the target into clicking on a malicious link, which will result in a malicious file being uploaded to the target's server. The attack is based on Cross-site Request Forgery and depends on target interaction for it to be successfully executed.

Affected Product

KodExplorer v4.49 and earlier

Severity Level

9.0 (Critical)
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Steps to Reproduce

Please provide some email address so that the proof of concept can be sent.

Mitigation

Considering that it is a CSRF-based flaw, it is recommended that there is functionality to block these types of attacks, such as an anti-CSRF token.

@kalcaddle
Copy link
Owner

warlee#kodcloud.com
thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants