Description
Multiple cross-site request forgery (CSRF) vulnerabilities allow remote attackers to execute unwanted actions in the portal.
Workaround:
Remove the following lines from the 'auth.token.ignore.actions' portal property:
/blogs/edit_entry,\ /blogs_aggregator/edit_entry,\ /document_library/edit_file_entry,\ /message_boards/edit_message,\ /portal/comment/edit_discussion,\
Removing the above paths will disable the following features:
- Blog entry drafts and Wiki page drafts will no longer be automatically saved when the user's session expires
- Unauthenticated users will no longer be able to add a message in the Message Boards or add comments in the various apps that support comments.
To keep using these features, the above paths must be re-added after upgrading to a patched version of the portal.
Severity
Severity 2
Fixed Version(s)
Acknowledgments
This issue was reported by Marko Winkler
Publication date: Tue, 29 May 2018 04:00:00 +0000