Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2015-029: CSRF vulnerability in savetreenodes

Low (?)
Versions Affected:
3.1.18, 3.2.3, 3.3.1
Versions Fixed:
3.1.19, 3.2.4, 3.3.2
Release Date:

savetreenode action does not have sufficient CSRF protection, meaning that in some cases users with CMS access can be tricked into posting unspecified data into the CMS from external websites.

The resolution for this issue is to ensure that a security token is sent with the request and validated on the server side.

Credit: Alain J Homewood - PWC