CVE-2018-16449

Name of the Vulnerable Software and Affected Versions OneThink version 1.1.141212

Description The issue allows for Cross-Site Request Forgery (CSRF) attacks, which can be used to perform unauthorized actions on the application. Specifically, it affects the addition of pages via "admin.php?s=/Channel/add.html", the addition of blogs via "admin.php?s=/Article/update.html", and the setting of the audit state via "admin.php?s=/Article/setStatus/status/1.html".

Recommendations For OneThink version 1.1.141212, as a temporary workaround, consider disabling the affected API endpoints "admin.php?s=/Channel/add.html", "admin.php?s=/Article/update.html", and "admin.php?s=/Article/setStatus/status/1.html" until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.