CVE-2020-15135

Name of the Vulnerable Software and Affected Versions save-server versions prior to 1.0.7

Description The issue concerns a CSRF vulnerability due to the lack of CSRF mitigation. This vulnerability allows malicious users to perform actions such as uploading, deleting files, and adding redirects if the user has an active session with save-server. If the user is logged in as root, the attack is more severe, enabling the malicious user to create, delete, and update users, including changing passwords. This could lead to unauthorized access to files. The vulnerability is patched by implementing the Double submit cookie pattern.

Recommendations For versions prior to 1.0.7, update to version 1.0.7 or above to resolve the issue. As a temporary workaround, consider restricting access to sensitive actions until the update is applied. Avoid using the save-server with an active session while navigating to potentially malicious sites to minimize the risk of exploitation.