Cotonti
Monthly
Stored cross-site scripting in Cotonti 1.0.0 (master branch, commit f43f1fc3) lets an authenticated user inject HTML/JavaScript into Personal File Storage (PFS) folder titles, which then execute in any viewer's browser when the folder listing is rendered. The flaw stems from the 'TXT' import filter not encoding HTML combined with unescaped template output, and no public exploit identified at time of analysis. Discovered by TuranSec; impact extends to other users browsing public folders, enabling session theft or account actions in their context.
Cross-site request forgery in Cotonti 1.0.0's Personal File Storage module allows remote attackers to hijack authenticated user sessions to silently modify folder metadata. The folder update action ('a=update') in modules/pfs/inc/pfs.editfolder.php processes state-changing requests without invoking Cotonti's built-in anti-CSRF token validation function cot_check_xg(), enabling an attacker to force a logged-in user to unknowingly expose private folders or alter their descriptions. No public exploit code has been confirmed and the vulnerability is not listed in CISA KEV, but the specific vulnerable code commit is publicly identified by the reporter TuranSec.
Cross-Site Request Forgery in the Personal File Storage (PFS) module of Cotonti 1.0.0 (commit f43f1fc3) allows remote attackers to upload arbitrary files into an authenticated victim's storage by luring them to a malicious page. The 'a=upload' action in modules/pfs/inc/pfs.main.php omits the cot_check_xg() anti-CSRF token check that sibling actions like 'delete' enforce. No public exploit identified at time of analysis, though the root cause is documented in the public source code reference.
Cross-site request forgery in Cotonti 1.0.0 (commit f43f1fc3) lets a remote attacker escalate privileges to administrator by tricking a logged-in admin into loading an attacker-controlled page that submits a forged rights-update request to system/admin/admin.rights.php. Because Cotonti administrators can edit templates and configuration, the resulting account can be pivoted to remote code execution on the host. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Cross-site request forgery in Cotonti 1.0.0 (commit f43f1fc3) administration configuration handler allows a remote attacker to coerce an authenticated administrator's browser into silently modifying arbitrary core, module, or plugin configuration options. The flaw in system/admin/admin.config.php stems from the 'a=update' action invoking cot_config_update_options() without the cot_check_xg() anti-CSRF token check used elsewhere in the admin panel. No public exploit identified at time of analysis, though the root cause is well-documented at the source line level by the reporter (TuranSec).
Stored cross-site scripting in Cotonti 1.0.0 (master branch, commit f43f1fc3) lets an authenticated user inject HTML/JavaScript into Personal File Storage (PFS) folder titles, which then execute in any viewer's browser when the folder listing is rendered. The flaw stems from the 'TXT' import filter not encoding HTML combined with unescaped template output, and no public exploit identified at time of analysis. Discovered by TuranSec; impact extends to other users browsing public folders, enabling session theft or account actions in their context.
Cross-site request forgery in Cotonti 1.0.0's Personal File Storage module allows remote attackers to hijack authenticated user sessions to silently modify folder metadata. The folder update action ('a=update') in modules/pfs/inc/pfs.editfolder.php processes state-changing requests without invoking Cotonti's built-in anti-CSRF token validation function cot_check_xg(), enabling an attacker to force a logged-in user to unknowingly expose private folders or alter their descriptions. No public exploit code has been confirmed and the vulnerability is not listed in CISA KEV, but the specific vulnerable code commit is publicly identified by the reporter TuranSec.
Cross-Site Request Forgery in the Personal File Storage (PFS) module of Cotonti 1.0.0 (commit f43f1fc3) allows remote attackers to upload arbitrary files into an authenticated victim's storage by luring them to a malicious page. The 'a=upload' action in modules/pfs/inc/pfs.main.php omits the cot_check_xg() anti-CSRF token check that sibling actions like 'delete' enforce. No public exploit identified at time of analysis, though the root cause is documented in the public source code reference.
Cross-site request forgery in Cotonti 1.0.0 (commit f43f1fc3) lets a remote attacker escalate privileges to administrator by tricking a logged-in admin into loading an attacker-controlled page that submits a forged rights-update request to system/admin/admin.rights.php. Because Cotonti administrators can edit templates and configuration, the resulting account can be pivoted to remote code execution on the host. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Cross-site request forgery in Cotonti 1.0.0 (commit f43f1fc3) administration configuration handler allows a remote attacker to coerce an authenticated administrator's browser into silently modifying arbitrary core, module, or plugin configuration options. The flaw in system/admin/admin.config.php stems from the 'a=update' action invoking cot_config_update_options() without the cot_check_xg() anti-CSRF token check used elsewhere in the admin panel. No public exploit identified at time of analysis, though the root cause is well-documented at the source line level by the reporter (TuranSec).