CVE-2018-6824

Name of the Vulnerable Software and Affected Versions Cozy version 2

Description The issue allows remote attackers to obtain administrative access via JavaScript code in the url parameter to the "/api/proxy" API endpoint. This can be achieved through an XMLHttpRequest call with a request containing email:"attacker@example.com", potentially followed by a password reset.

Recommendations For Cozy version 2, as a temporary workaround, consider restricting access to the "/api/proxy" API endpoint until a patch is available. Avoid using the url parameter in this endpoint to minimize the risk of exploitation.