Vulnerability Note VU#865216
CodeLathe FileCloud is vulnerable to cross-site request forgery
Overview
CodeLathe FileCloud, version 13.0.0.32841 and earlier, is vulnerable to cross-site request forgery (CSRF).
Description
|
CWE-352: Cross-Site Request Forgery (CSRF) – CVE-2016-6578 CodeLathe FileCloud is an "is an Enterprise File Access, Sync and Share solution that runs on-premise." FileCloud, version 13.0.0.32841 and earlier, contains a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. |
Impact
|
A remote, unauthenticated attacker may be able to induce an authenticated user into making an unintentional request to the FileCloud server that will be treated as an authentic request. |
Solution
|
Apply an update The vendor has released version 14.0 to address this vulnerability. Users are encouraged to view the release notes and update to the latest release. |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| CodeLathe | Affected | 16 Sep 2016 | 14 Dec 2016 |
If you are a vendor and your product is affected, let
us know.
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Temporal | 5.3 | E:POC/RL:OF/RC:C |
| Environmental | 4.0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- https://www.getfilecloud.com/
- https://www.getfilecloud.com/releasenotes/
- https://cwe.mitre.org/data/definitions/352.html
Credit
Thanks to Stéphane Adamiste for reporting this vulnerability.
This document was written by Joel Land.
Other Information
-
CVE IDs:
CVE-2016-6578 -
Date Public:
13 Jan 2017 -
Date First Published:
13 Jan 2017 -
Date Last Updated:
13 Jan 2017 -
Document Revision:
7
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.