blob: 4fb3be6b066b833363e3f25ad7cfd44bda3f56cf [file] [log] [blame]
id: GO-2022-0563
modules:
- module: github.com/filebrowser/filebrowser/v2
versions:
- fixed: 2.18.0
vulnerable_at: 2.17.2
packages:
- package: github.com/filebrowser/filebrowser/v2/http
symbols:
- NewHandler
summary: Cross-site request forgery in github.com/filebrowser/filebrowser/v2
description: |-
A Cross-Site Request Forgery vulnerability exists in Filebrowser that allows
attackers to create a backdoor user with admin privilege and get access to the
filesystem via a malicious HTML webpage that is sent to the victim.
published: 2022-02-05T00:00:31Z
cves:
- CVE-2021-46398
ghsas:
- GHSA-72wf-hwcq-65h9
credits:
- Febin
references:
- fix: https://github.com/filebrowser/filebrowser/commit/74b7cd8e81840537a8206317344f118093153e8d
- web: https://github.com/filebrowser/filebrowser/issues/1621
- web: https://systemweakness.com/critical-csrf-to-rce-in-filebrowser-865a3c34b8e7
review_status: REVIEWED