We've recently had our website scanned for security vulnerabilities by an external vendor - though they came back with all kinds of things, one of them was a Cross-Site Request Forgery that they tied back to CuteSoft_Client/CuteEditor/Load.ashx. Effectively, they were saying that this page could be leveraged to call and execute arbitrary code from a remote site, as it generated teh same response for them whether they called it legitimately, or whether they called it via a ficticious manually-formed request that included a different referrer in the header. Essentially, their claim is that it doesn't validate the caller or referrer before it loads the requested code.

I did some (albiet brief) testing, and it seems like this page will only load code from a certain folder under the application, but is there a concern with the potential risk here? Or is this a false positive they're returning? This isn't an area where I'm super-knowledgable, but it doesn't seem like the referrer would impact what should be executed. If anything, it seems like I could put malicious code on my side and force other sites to execute it remotely (by calling my code from their site via the CSRF), but it wouldn't pose additional threats to users of my site.

I appreciate the group's confirmation (or negation) of this potential threat, as I'd like to respond to the line item appropriately.

Thanks!