CVE-2013-2754 in UMI.CMS
Summary
by MITRE
Cross-site request forgery (CSRF) vulnerability in Umisoft UMI.CMS before 2.9 build 21905 allows remote attackers to hijack the authentication of administrators for requests that add administrator accounts via a request to admin/users/add/user/do/.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/07/2026
The CVE-2013-2754 vulnerability represents a critical cross-site request forgery flaw in Umisoft UMI.CMS versions prior to 2.9 build 21905. This vulnerability exposes the content management system to unauthorized administrative actions through malicious web requests that can be executed without the knowledge or consent of legitimate administrators. The flaw specifically targets the administrator account creation functionality within the CMS, making it particularly dangerous for organizations relying on this platform for their web content management needs.
The technical implementation of this CSRF vulnerability stems from the absence of proper anti-CSRF token validation within the administrative user account creation endpoint. When an administrator visits a malicious website or clicks on a crafted link, the attacker can construct a request that automatically submits data to the vulnerable CMS administration interface. The request targets the specific URL path admin/users/add/user/do/ which handles the creation of new administrator accounts. Without proper token verification or session validation, the CMS processes these requests as legitimate administrative actions, allowing attackers to create new administrative accounts with potentially elevated privileges.
This vulnerability operates under the framework of CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in software applications. The attack vector leverages the trust relationship between the CMS application and its authenticated administrators, exploiting the fact that the application does not validate the origin or authenticity of requests made to administrative endpoints. The operational impact extends beyond simple account creation, as successful exploitation can lead to complete system compromise. An attacker who successfully creates an administrative account gains full control over the CMS, enabling them to modify content, steal sensitive data, install malicious software, or use the compromised system as a launching point for further attacks within the organization's network infrastructure.
The threat landscape for this vulnerability aligns with ATT&CK technique T1566, which covers Phishing with a malicious attachment or link, as attackers typically deploy CSRF attacks through deceptive web pages or social engineering campaigns. Organizations using vulnerable versions of UMI.CMS face significant risk of unauthorized access and potential data breaches, particularly in environments where administrative privileges are not adequately protected through additional security layers such as two-factor authentication or network segmentation. The vulnerability's impact is exacerbated by the fact that it does not require authentication from the attacker, making it particularly dangerous for organizations with less robust security monitoring in place.
Mitigation strategies for CVE-2013-2754 primarily involve upgrading to UMI.CMS version 2.9 build 21905 or later, which implements proper anti-CSRF token validation. Organizations should also implement additional security controls including web application firewalls, input validation for administrative endpoints, and regular security audits of their CMS installations. Security teams should monitor for exploitation attempts through unusual administrative account creation patterns and implement proper access controls and privilege management practices. The vulnerability demonstrates the critical importance of maintaining up-to-date software versions and implementing comprehensive security testing procedures to identify and remediate authentication-related flaws in web applications.