| Title | Sitemagic CMS v4.4.1 - Multiple Cross-Site-Request-Forgery (CSRF) |
|---|
| Description | It was observed that the application did not contain any Cross-Site Request Forgery protection. This allows attackers to cause application users or administrators to carry out functionality on their behalf, such as adding a new administrative user or changing a user's details.
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. As the request inherits the identity of the victim, it can perform any function on the victim's behalf, like change the victim's e-mail address, home address, password, or purchase something.
In this particular case, it could be possible for an attacker to trick the victim into performing administrative action, change the site contents, add tabs, upload web shells or other malicious files, and other critical actions that may allow the attacker to entirely compromise the hosting server.
The vulnerability, discovered in version 4.4.1, had been fixed in 4.4.2. The CVE ID assigned to this vulnerability is CVE-2019-18220.
|
|---|
| Source | ⚠️ https://github.com/Jemt/SitemagicCMS/blob/master/changelog.txt |
|---|
| Submission | 21/10/2019 17:17 (5 years ago) |
|---|
| Moderation | 22/10/2019 09:17 (16 hours later) |
|---|
| Status | تمت الموافقة |
|---|
| VulDB Entry | 144008 |
|---|