{"vuid":"VU#865216","idnumber":"865216","name":"CodeLathe FileCloud is vulnerable to cross-site request forgery","keywords":["codelathe","filecloud","csrf"],"overview":"CodeLathe FileCloud, version 13.0.0.32841 and earlier, is vulnerable to cross-site request forgery (CSRF).","clean_desc":"CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2016-6578 CodeLathe FileCloud is an \"is an Enterprise File Access, Sync and Share solution that runs on-premise.\" FileCloud, version 13.0.0.32841 and earlier, contains a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.","impact":"A remote, unauthenticated attacker may be able to induce an authenticated user into making an unintentional request to the FileCloud server that will be treated as an authentic request.","resolution":"Apply an update The vendor has released version 14.0 to address this vulnerability. Users are encouraged to view the release notes and update to the latest release.","workarounds":"","sysaffected":"","thanks":"Thanks to Stéphane Adamiste for reporting this vulnerability.","author":"This document was written by Joel Land.","public":["https://www.getfilecloud.com/","https://www.getfilecloud.com/releasenotes/","https://cwe.mitre.org/data/definitions/352.html"],"cveids":["CVE-2016-6578"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2016-09-12T20:35:39Z","publicdate":"2017-01-13T00:00:00Z","datefirstpublished":"2017-01-13T14:32:19Z","dateupdated":"2017-01-13T14:32:20Z","revision":7,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6.8","cvss_basevector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","cvss_temporalscore":"5.3","cvss_environmentalscore":"4.00641675301744","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}