CodeLathe FileCloud is vulnerable to cross-site request forgery

Overview

CodeLathe FileCloud, version 13.0.0.32841 and earlier, is vulnerable to cross-site request forgery (CSRF).

Description

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2016-6578

CodeLathe FileCloud is an “is an Enterprise File Access, Sync and Share solution that runs on-premise.” FileCloud, version 13.0.0.32841 and earlier, contains a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.

---

Impact

A remote, unauthenticated attacker may be able to induce an authenticated user into making an unintentional request to the FileCloud server that will be treated as an authentic request.

---

Solution

Apply an update

The vendor has released version 14.0 to address this vulnerability. Users are encouraged to view the release notes and update to the latest release.

---

Vendor Information

865216

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

CodeLathe Affected

Notified: September 16, 2016 Updated: December 14, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	6.8	AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal	5.3	E:POC/RL:OF/RC:C
Environmental	4.0	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <https://www.getfilecloud.com/&gt;
• <https://www.getfilecloud.com/releasenotes/&gt;
• <https://cwe.mitre.org/data/definitions/352.html&gt;

Acknowledgements

Thanks to Stéphane Adamiste for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs:	CVE-2016-6578
Date Public:	2017-01-13 Date First Published: