CVE-2020-14043

Name of the Vulnerable Software and Affected Versions Codiad versions 1.7.8 and later

Description A Cross Side Request Forgery (CSRF) vulnerability was found in the request to download a plugin from the marketplace, which is only available to admin users. The issue lies in the components/market/controller.php file, where the request is not CSRF protected. This might cause admins to make a vulnerable request without their knowledge, potentially resulting in remote code execution. The vendor has stated that Codiad is no longer under active maintenance by core contributors.

Recommendations For Codiad versions 1.7.8 and later, consider disabling the plugin download feature from the marketplace until a patch is available, as a temporary workaround to minimize the risk of exploitation. Restrict access to the components/market/controller.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.