Full Disclosure mailing list archives
Full disclosure: Impersonation attacks on Edupage portal
From: Juraj Kosik <juraj.kosik () gmail com>
Date: Tue, 12 May 2026 12:46:55 +0200
VULNERABILITY Non-sanitised submission of malicious SVG files on the Edupage portal in combination with CSRF vulnerability allows triggering various actions on behalf of other users, e.g. identity spoofing, sending fake messages, giving fake approvals, etc. Full disclosure report: https://jkosik.github.io/posts/edupage/ Reference: https://www.edupage.org/ VENDOR: Applied Software Consultants PRODUCT: Edupage - https://www.edupage.org/ Web application and also mobile application (at least 2024.0.25 2.1.72) AFFECTED COMPONENT Edupage web and mobile application - multiple pages with missing CSRF token and multiple pages allowing attachment uploads. ATTACK TYPE Remote DISCOVERER Juraj Kosik CVE CVE-2025-70562 CVE-2025-70563 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Full disclosure: Impersonation attacks on Edupage portal Juraj Kosik (May 17)
