Vulnerability: Cross-site Request Forgery (CSRF) to Remote Code Execution (RCE)
brosck opened this issue · 1 comments
KodExplorer 4.49 - Cross-site Request Forgery (CSRF) to Remote Code Execution (RCE)
Summary
KodExplorer version 4.49 or earlier contains a vulnerability that has been rated critical. The vulnerability allows a malicious user to trick the target into clicking on a malicious link, which will result in a malicious file being uploaded to the target's server. The attack is based on Cross-site Request Forgery and depends on target interaction for it to be successfully executed.
Affected Product
KodExplorer v4.49 and earlier
Severity Level
9.0 (Critical)
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Steps to Reproduce
Please provide some email address so that the proof of concept can be sent.
Mitigation
Considering that it is a CSRF-based flaw, it is recommended that there is functionality to block these types of attacks, such as an anti-CSRF token.
warlee#kodcloud.com
thanks.