PT-2026-26628 · Unknown · Precurio Intranet Portal
Indoushka
·
Publicado
2026-03-20
·
Atualizado
2026-03-22
·
CVE-2026-32989
CVSS v3.1
8.8
Alta
| Vetor | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Precurio Intranet Portal version 4.4
Description
Precurio Intranet Portal 4.4 contains a cross-site request forgery condition. Attackers can leverage this to compel authenticated users to submit malicious requests to a profile update endpoint that manages file uploads. Successful exploitation allows attackers to upload executable files to publicly accessible locations, potentially resulting in arbitrary code execution on the web server. The vulnerable endpoint handles file uploads during profile updates. The
profile update endpoint is susceptible to crafted requests.Recommendations
Precurio Intranet Portal version 4.4: Implement same-site cookies and rotating tokens to prevent cross-site request forgery attacks.
Exploit
Correção
Unrestricted File Upload
CSRF
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Precurio Intranet Portal