IQID:12632 HTTP Advanced Electron Forum CSRF Vulnerability_3 (From Server) S
IQID: 12632 - February 2016
In Admin control panel there is option to Import Skins and one choice is using a web URL. From AEF: "Specify the URL of the theme on the net. The theme file must be a compressed archive (zip, tgz, tbz2, tar)." However there is no CSRF token or check made that this is a valid request made by the currently logged in user, resulting in arbitrary remote file imports from an attacker if the user visits or clicks an malicious link. Victims will then be left open to arbitrary malicious file downloads from anywhere on the net which may be used as a platform for further attacks.
A Full Description is available for this threat, please sign in for access to Full Description.
Attack Data
Attack Data is available for this threat, please sign in for access to Attack Data.
CVSS Information
CVSS Information is available for this threat, please sign in for access to CVSS Information.
Date
Date Information is available for this threat, please sign in for access to Date Information.
Security Rule
A security rule is available to identify this threat, please sign in for access to security rules.
Permalink
Link directly to this page.
http://www.idappcom.com/db/?12632
© 2024 by IDappcom. Privacy policy. IDappcom Ltd, 6 Rural Enterprise Centre, Ludlow, Shropshire, SY8 1FF.
Log In