Cross site request forgery (csrf)

2018-09-2820:29:00

PRIOn knowledge base

www.prio-n.com

8.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.8%

JSON

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device’s origin instead of prompting to download the asset. The application does not prevent the user from uploading SVG images and returns these images within their origin. As a result, malicious users can upload SVG images that contain arbitrary JavaScript that is evaluated when the victim issues a request to download the file.

CPENameOperatorVersion
ez_media_\\&_backup_center_firmwareeq4.1.402.34662
ez_media_\\&_backup_center_firmwareeq4.1.402.34662
ix2_firmwareeq4.1.402.34662
ix4-300d_firmwareeq4.1.402.34662
px12-400r_firmwareeq4.1.402.34662
px12-450r_firmwareeq4.1.402.34662
px2-300d_firmwareeq4.1.402.34662
px4-300d_firmwareeq4.1.402.34662
px4-300r_firmwareeq4.1.402.34662
px4-400d_firmwareeq4.1.402.34662

Name	Operator	Version
ez_media_\\&_backup_center_firmware	eq	4.1.402.34662
ez_media_\\&_backup_center_firmware	eq	4.1.402.34662
ix2_firmware	eq	4.1.402.34662
ix4-300d_firmware	eq	4.1.402.34662
px12-400r_firmware	eq	4.1.402.34662
px12-450r_firmware	eq	4.1.402.34662
px2-300d_firmware	eq	4.1.402.34662
px4-300d_firmware	eq	4.1.402.34662
px4-300r_firmware	eq	4.1.402.34662
px4-400d_firmware	eq	4.1.402.34662