CRITICAL🇵🇱 Wersja polska

CVE-2026-28508

CVSS 9.2v4.0pub. 2026-03-06upd. 2026-03-16

Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Withknown Known

    APP
    Withknown
    < 1.6.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-26273CRITICAL9.8PL ✓ten sam produkt

Wyciek tokena resetowania hasła w Known – przejęcie konta bez dostępu do skrzynki e-mail

CVE-2026-28507HIGH8.6ten sam produkt

Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability v...

CVE-2022-33011HIGH8.8ten sam produkt

Known v1.3.1+2020120201 was discovered to allow attackers to perform an account takeover via a host header inj...

CVE-2022-30852MEDIUM4.3ten sam produkt

Known v1.3.1 was discovered to contain an Insecure Direct Object Reference (IDOR).

CVE-2022-31290MEDIUM5.4ten sam produkt

A cross-site scripting (XSS) vulnerability in Known v1.2.2+2020061101 allows authenticated attackers to execut...