Arbitrary file deletion

2019-04-1017:29:00

PRIOn knowledge base

www.prio-n.com

8.8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.7%

JSON

Cantemo Portal before 3.2.13, 3.3.x before 3.3.8, and 3.4.x before 3.4.9 has XSS. Leveraging this vulnerability would enable performing actions as users, including administrative users. This could enable account creation and deletion as well as deletion of information contained within the app.

CPENameOperatorVersion
portalge3.4.0
portallt3.4.9
portalge3.3.0
portallt3.3.8
portallt3.2.13

Name	Operator	Version
portal	ge	3.4.0
portal	lt	3.4.9
portal	ge	3.3.0
portal	lt	3.3.8
portal	lt	3.2.13

References

blog-posts--cantemo.netlify.com/news/2019/03/cantemo-portal-xss-vulnerabilities/

doc.cantemo.com/latest/ReleaseNotes/intro.html

www.bishopfox.com/blog/news-category/advisories/

www.bishopfox.com/news/2019/03/cantemo-portal-version-3-8-4-cross-site-scripting/