Advisory 2022-01/2 Threat of CSRF via File Upload
Threat of CSRF
|Security Advisory Date||January 6, 2022|
|Vulnerability Type||Cross-site Request Forgery (CSRF)|
Medium, since this only occurs in browsers where cookies have samesite set to None.
|Versions affected||All versions of FileCloud prior to 21.3|
|Version fixed||FileCloud Version 184.108.40.20647|
|Source||Tim Wörner and Gerbert Roitburd of usd AG|
This vulnerability enables an attacker to forge a request that, if executed by an administrator, submits a request that uploads a malicious file to FileCloud. This only occurs if cookies have samesite set to None.
This has been fixed in FileCloud version 220.127.116.1147, which includes additional CSRF checks for uploads
What you should do
- If you are using FileCloud on-premises, it is recommended that you update to the latest version, which is 18.104.22.16847 or greater. This will resolve the issue.
- If you are using FileCloud online, your site has already been updated to the latest version.
If you have any questions about this advisory, please contact FileCloud support.