Full disclosure: Impersonation attacks on Edupage portal
Full Disclosuremailing list archivesFrom: Juraj Kosik <juraj.kosik () gmail com> 2026-5-17 21:14:55 Author: seclists.org(查看原文) 阅读量:2 收藏
Full Disclosuremailing list archivesFrom: Juraj Kosik <juraj.kosik () gmail com> 2026-5-17 21:14:55 Author: seclists.org(查看原文) 阅读量:2 收藏
Full Disclosure mailing list archives
From: Juraj Kosik <juraj.kosik () gmail com>
Date: Tue, 12 May 2026 12:46:55 +0200
VULNERABILITY Non-sanitised submission of malicious SVG files on the Edupage portal in combination with CSRF vulnerability allows triggering various actions on behalf of other users, e.g. identity spoofing, sending fake messages, giving fake approvals, etc. Full disclosure report: https://jkosik.github.io/posts/edupage/ Reference: https://www.edupage.org/ VENDOR: Applied Software Consultants PRODUCT: Edupage - https://www.edupage.org/ Web application and also mobile application (at least 2024.0.25 2.1.72) AFFECTED COMPONENT Edupage web and mobile application - multiple pages with missing CSRF token and multiple pages allowing attachment uploads. ATTACK TYPE Remote DISCOVERER Juraj Kosik CVE CVE-2025-70562 CVE-2025-70563 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Full disclosure: Impersonation attacks on Edupage portal Juraj Kosik (May 17)
文章来源: https://seclists.org/fulldisclosure/2026/May/4
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh