A vulnerability in ASP.NET Core could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on a targeted system – CVE-2018-0785
The vulnerability is due to the use of vulnerable project templates when a web application is created with the affected software. An attacker could exploit this vulnerability by persuading a user to access a link that submits malicious input to the affected software. A successful exploit could allow the attacker to modify the user’s two-factor authentication (2FA) device’s recovery codes without the user’s knowledge. This could lead to a denial of service (DoS) condition if the user loses access to the 2FA device and requires a recovery code.
Microsoft confirmed the vulnerability and released software updates.