CVE-2019-10253

Name of the Vulnerable Software and Affected Versions: TeamMate+ version 21.0.0.0

Description: A Cross-Site Request Forgery (CSRF) issue exists, allowing a remote attacker to modify application data by uploading malicious or forged files on a TeamMate server, or replacing existing uploaded files with malicious ones. The flaw is due to the failure to validate a CSRF token before handling a POST request to the "Upload/DomainObjectDocumentUpload.ashx" endpoint.

Recommendations: For TeamMate+ version 21.0.0.0, consider disabling the handling of Upload/DomainObjectDocumentUpload.ashx requests until a patch is available to prevent exploitation. Restrict access to the Upload/DomainObjectDocumentUpload.ashx endpoint to minimize the risk of malicious file uploads. At the moment, there is no information about a newer version that contains a fix for this issue.