CVE-2012-3231 - Upset Jeopardy

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in web@all 2.0 as downloaded before May 30 2012 allow remote attackers to hijack the authentication of administrators for requests that add delete or modify sensitive information as demonstrated by adding a file to execute arbitrary code via a do_addfile action to inc/browser/action.php.

Reference

http://www.securityfocus.com/bid/54109 https://www.htbridge.com/advisory/HTB23094