kalcaddle/KodExplorer

Vulnerability: Cross-site Request Forgery (CSRF) to Remote Code Execution (RCE)

brosck opened this issue · 1 comments

KodExplorer 4.49 - Cross-site Request Forgery (CSRF) to Remote Code Execution (RCE)

Summary

KodExplorer version 4.49 or earlier contains a vulnerability that has been rated critical. The vulnerability allows a malicious user to trick the target into clicking on a malicious link, which will result in a malicious file being uploaded to the target's server. The attack is based on Cross-site Request Forgery and depends on target interaction for it to be successfully executed.

Affected Product

KodExplorer v4.49 and earlier

Severity Level

9.0 (Critical)
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Steps to Reproduce

Please provide some email address so that the proof of concept can be sent.

Mitigation

Considering that it is a CSRF-based flaw, it is recommended that there is functionality to block these types of attacks, such as an anti-CSRF token.

warlee#kodcloud.com
thanks.