Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zNWdwLWp4dzgteHc2aM4AAlsp
Codiad CSRF Vulnerability
A Cross Side Request Forgery (CSRF) vulnerability was found in Codiad v1.7.8 and later. The request to download a plugin from the marketplace is only available to admin users and it isn't CSRF protected in components/market/controller.php. This might cause admins to make a vulnerable request without them knowing and result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors."
Permalink: https://github.com/advisories/GHSA-35gp-jxw8-xw6hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNWdwLWp4dzgteHc2aM4AAlsp
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 23 days ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-35gp-jxw8-xw6h, CVE-2020-14043
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-14043
- https://github.com/Codiad/Codiad/issues/1122
- https://github.com/Codiad/Codiad/issues/1132
- https://web.archive.org/web/20220828222205/https://advisory.checkmarx.net/advisory/CX-2020-4279
- https://github.com/advisories/GHSA-35gp-jxw8-xw6h
Blast Radius: 5.3
Affected Packages
packagist:codiad/codiad
Dependent packages: 0Dependent repositories: 4
Downloads: 294 total
Affected Version Ranges: >= 1.7.8, <= 2.8.4
No known fixed version
All affected versions: