CVE-2008-6478

Name of the Vulnerable Software and Affected Versions Parallels Virtuozzo versions 3.0.0-25.4.swsoft through 4.0.0-365.6.swsoft

Description A cross-site request forgery (CSRF) issue exists in the file manager of the VZPP web interface, allowing remote attackers to create and delete arbitrary files as the administrator. This can be achieved via a link or IMG tag to specific API endpoints, such as "vz/cp/vzdir/infrman/envs/files/" for creating files and modifying system configuration through the path parameter.

Recommendations For versions 3.0.0-25.4.swsoft through 4.0.0-365.6.swsoft, consider disabling access to the file manager in the VZPP web interface until a patch is available. Restrict access to the vz/cp/vzdir/infrman/envs/files/ endpoint to minimize the risk of exploitation. Avoid using the path parameter in the affected API endpoint until the issue is resolved.