Executive Summary

CVE-2026-55745 is a Cross-Site Request Forgery (CSRF) vulnerability in Cotonti 1.0.0's Personal File Storage (PFS) module. Specifically, the folder update action in the file pfs.editfolder.php does not validate an anti-CSRF token when updating folder metadata such as title, description, and public/gallery flags.

This means a remote attacker can trick an authenticated user into visiting a malicious page that causes the user's browser to submit a forged request, modifying the victim's folder metadata without their consent.

Additionally, the vulnerability involves improper input validation and sanitization of parameters like folder title, description, and permissions, which could lead to unauthorized actions or injection attacks such as SQL injection or cross-site scripting (XSS).

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Cotonti 1.0.0's Personal File Storage module allows an attacker to modify folder metadata, including making private folders public without proper authorization.

This unauthorized modification of folder privacy settings could lead to unintended data exposure, which may violate data protection requirements under regulations such as GDPR and HIPAA that mandate strict controls over personal and sensitive data.

Therefore, exploitation of this vulnerability could compromise compliance with these standards by enabling unauthorized access or disclosure of protected information.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to modify folder metadata in the Personal File Storage module without the user's permission.

• An attacker can make a private folder public, exposing sensitive files.
• Unauthorized changes to folder titles and descriptions can cause confusion or mislead users.
• The lack of input validation increases the risk of SQL injection or cross-site scripting attacks, potentially leading to further system compromise.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or unexpected changes to folder metadata in the Personal File Storage (PFS) module of Cotonti CMS, especially changes to folder titles, descriptions, and public/gallery flags.

Since the vulnerability involves Cross-Site Request Forgery (CSRF) attacks exploiting the lack of anti-CSRF token validation, detection can include checking web server logs for suspicious POST requests to the endpoint handling folder updates (modules/pfs/inc/pfs.editfolder.php with action 'a=update') that originate from unusual or external referrers.

Suggested commands to detect suspicious activity include:

• Using grep or similar tools to search web server logs for POST requests to the vulnerable endpoint: `grep 'POST .*pfs.editfolder.php.*a=update' /var/log/apache2/access.log`
• Checking for unexpected changes in folder metadata in the database by querying the relevant tables for recent updates, for example: `SELECT * FROM pfs_folders WHERE last_modified > NOW() - INTERVAL 1 DAY;`
• Monitoring for unusual referrer headers or IP addresses in access logs that might indicate CSRF attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Apply an update or patch to the Cotonti CMS that includes proper anti-CSRF token validation in the Personal File Storage (PFS) module, specifically ensuring that the folder update action calls cot_check_xg() or equivalent CSRF protection.
• If a patch is not available, temporarily restrict access to the PFS folder update functionality to trusted users only or disable the module until a fix is applied.
• Implement web application firewall (WAF) rules to block suspicious POST requests to the vulnerable endpoint.
• Educate users to avoid clicking on suspicious links or visiting untrusted websites while authenticated to the Cotonti CMS.

Useful 0 Not Useful 0