Breadcrumbs

Advisory 2022-01/3 Threat of CSRF via User Creation

https://fileclouddocs.atlassian.net/wiki/plugins/servlet/confluence/placeholder/unknown-macro?name=customtitleandmetaform&locale=en_US&version=2

https://fileclouddocs.atlassian.net/wiki/plugins/servlet/confluence/placeholder/unknown-macro?name=customtitleandmetaform&locale=en_US&version=2

https://fileclouddocs.atlassian.net/wiki/plugins/servlet/confluence/placeholder/unknown-macro?name=customtitleandmetaform&locale=en_US&version=2

Threat of CSRF

Security Advisory Date

January 6, 2022

Vulnerability Type

Cross-site Request Forgery (CSRF)

Severity factors

Medium, since this only occurs in browsers where cookies have samesite set to None

Versions affected

All versions of FileCloud prior to 21.3

Version fixed

FileCloud Version 21.3.0.18447

CVE Number

CVE-2022-25241

Source

Tim Wörner and Gerbert Roitburd of usd AG

Description

This vulnerability enables an attacker to forge a request that, if executed by an administrator, submits a request that uploads a csv file containing information that FileCloud uses to create a new user. The attacker can then log in to FileCloud with the new user credentials. This only occurs if cookies have samesite set to None.

Fix

This has been fixed in FileCloud version 21.3.0.18447, which includes additional CSRF checks for uploads

What you should do

  • If you are using FileCloud on-premises, it is recommended that you update to the latest version, which is 21.3.0.18447 or greater. This will resolve the issue.

  • If you are using FileCloud online, your site has already been updated to the latest version.

If you have any questions about this advisory, please contact FileCloud support.