CVE-2018-16832

Name of the Vulnerable Software and Affected Versions xunfeng version 0.2.0

Description The issue allows an attacker to modify the configuration via a Flash file. This is possible because the views/lib/AntiCSRF.py file can overwrite the request.host value with the content of the X-Forwarded-Host HTTP header, bypassing the anti-csrf decorator's protection.

Recommendations For xunfeng version 0.2.0, as a temporary workaround, consider disabling the use of the X-Forwarded-Host HTTP header until a patch is available. Restrict access to the views/lib/AntiCSRF.py file to minimize the risk of exploitation. Avoid using the X-Forwarded-Host header in the affected configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.