Overview
CodeLathe FileCloud, version 13.0.0.32841 and earlier, is vulnerable to cross-site request forgery (CSRF).
Description
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2016-6578 CodeLathe FileCloud is an "is an Enterprise File Access, Sync and Share solution that runs on-premise." FileCloud, version 13.0.0.32841 and earlier, contains a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. |
Impact
A remote, unauthenticated attacker may be able to induce an authenticated user into making an unintentional request to the FileCloud server that will be treated as an authentic request. |
Solution
Apply an update |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Temporal | 5.3 | E:POC/RL:OF/RC:C |
| Environmental | 4.0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Stéphane Adamiste for reporting this vulnerability.
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2016-6578 |
| Date Public: | 2017-01-13 |
| Date First Published: | 2017-01-13 |
| Date Last Updated: | 2017-01-13 14:32 UTC |
| Document Revision: | 7 |