CVE-2022-36536 An issue in the component post_applogin.php of Super Flexible Software GmbH & Co

Additionally, this issue may allow remote attackers to hijack the authentication of arbitrary users, due to insecure handling of the CSRF protection mechanism. In order to exploit this issue, a remote attacker must be able to acquire a valid session token. For example, this can be achieved by injecting a userID in the session or by a CSRF attack. Additionally, this issue may allow remote attackers to hijack the authentication of arbitrary users, due to insecure handling of the CSRF protection mechanism. In order to exploit this issue, a remote attacker must be able to acquire a valid session token. For example, this can be achieved by injecting a userID in the session or by a CSRF attack. - Remote Code Execution In the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below, there is a possible way for remote attackers to execute arbitrary code via a crafted session token. - Insecure Direct Object Reference In the component post_applogin.git of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below, there is a possible way for remote attackers to obtain sensitive information by reading an insecure direct object reference. - SQL Injection In the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below,

Vulnerability summary

Timeline

Published on: 09/16/2022 03:15:00 UTC
Last modified on: 09/17/2022 02:35:00 UTC

References

• http://super.com
• https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/
• http://syncovery.com
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36536