


































VULNERABILITY Non-sanitised submission of malicious SVG files on the Edupage portal in combination with CSRF vulnerability allows triggering various actions on behalf of other users, e.g. identity spoofing, sending fake messages, giving fake approvals, etc. Full disclosure report: https://jkosik.github.io/posts/edupage/ Reference: https://www.edupage.org/ VENDOR: Applied Software Consultants PRODUCT: Edupage - https://www.edupage.org/ Web application and also mobile application (at least 2024.0.25 2.1.72) AFFECTED COMPONENT Edupage web and mobile application - multiple pages with missing CSRF token and multiple pages allowing attachment uploads. ATTACK TYPE Remote DISCOVERER Juraj Kosik CVE CVE-2025-70562 CVE-2025-70563 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。