Description
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action ('a=update') updates folder metadata (title, description, public/gallery flags) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged request that modifies the victim's folder metadata, including making a private folder public.
Published: 2026-06-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cotonti 1.0.0 is vulnerable to Cross‑Site Request Forgery in the Personal File Storage module; the update action for folders does not require a CSRF token. A remote attacker can lure an authenticated user to a malicious page that forces the browser to submit a forged request, altering folder metadata such as the title, description, public and gallery flags. This allows an attacker to turn a private folder into a public one or otherwise tamper with a user’s data.

Affected Systems

The affected product is Cotonti Cotonti, specifically the PFS module in the master branch at commit f43f1fc3. Users running this version or a similar unpatched release are susceptible to unauthorized folder metadata changes.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of < 1% reflects a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user who visits a crafted page; common phishing or social engineering tactics could provide the necessary user interaction. No special system privilege or network exposure is required beyond an active user session.

Generated by OpenCVE AI on June 18, 2026 at 19:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cotonti to a version that includes the CSRF fix for the PFS module
  • If an upgrade is not immediately possible, disable the PFS update functionality or remove the PFS module entirely from the site
  • Implement site‑wide CSRF protection to validate anti‑CSRF tokens on all state‑changing requests and enforce strict access controls on file storage features

Generated by OpenCVE AI on June 18, 2026 at 19:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action ('a=update') updates folder metadata (title, description, public/gallery flags) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated user into visiting a malicious page can force the browser to submit a forged request that modifies the victim's folder metadata, including making a private folder public.
Title Cotonti CSRF in PFS folder edit allows unauthorized folder modification
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-18T12:53:11.134Z

Reserved: 2026-06-17T12:59:17.621Z

Link: CVE-2026-55745

cve-icon Vulnrichment

Updated: 2026-06-18T12:53:06.421Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)