Comment 0 for bug 1480329

Hi this is Abdullah ,

I found CSRF make user upload files to any group without his know it can be used to attack admins to upload evil files .

PoC :

video

http://www.youtube.com/watch?v=M-NyrwKBzmw&feature=youtu.be

the fix :

check sesskey is valid in (groupfiles.php)

I hope put my name in release note .

Are there a CVE for this bug ?

Thanks

Used mahara least version