CVE-2013-7352 in b2evolution
Summary
by MITRE
Cross-site request forgery (CSRF) vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the show_statuses[] parameter, related to CVE-2013-2945.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/09/2026
The CVE-2013-7352 vulnerability represents a critical cross-site request forgery flaw discovered in the b2evolution blogging platform prior to version 4.1.7. This vulnerability specifically affects the blogs/admin.php component and creates a dangerous attack vector that enables remote adversaries to exploit administrative sessions through carefully crafted malicious requests. The flaw operates by manipulating the show_statuses[] parameter, which serves as the primary entry point for the CSRF attack. Security researchers have identified this issue as part of a broader pattern of vulnerabilities affecting content management systems, where session management flaws create opportunities for privilege escalation and data manipulation.
The technical implementation of this vulnerability stems from the absence of proper CSRF protection mechanisms within the administrative interface. When administrators access the affected admin.php page, the system fails to validate the origin of requests or implement anti-CSRF tokens that would normally prevent unauthorized actions from being executed on behalf of authenticated users. Attackers can construct malicious web pages or exploit existing vulnerabilities in other parts of the application to submit requests that appear legitimate to the server. The vulnerability becomes particularly dangerous when combined with CVE-2013-2945, which deals with SQL injection attacks, as it allows attackers to not only hijack administrator sessions but also execute arbitrary database commands that could lead to complete system compromise and data exfiltration.
The operational impact of this vulnerability extends far beyond simple session hijacking, as it provides attackers with administrative privileges to manipulate the entire blogging platform. Once an attacker successfully exploits the CSRF vulnerability, they can perform actions such as creating new administrator accounts, modifying existing user permissions, deleting content, or executing SQL injection payloads that could expose sensitive database information. The attack requires minimal technical expertise and can be automated through various web-based attack frameworks, making it particularly attractive to threat actors. According to CWE classification, this vulnerability maps to CWE-352, which specifically addresses Cross-Site Request Forgery, while the ATT&CK framework would categorize this under TA0001 Initial Access and TA0002 Execution phases, as attackers establish footholds and execute malicious commands within the compromised environment.
Organizations running affected versions of b2evolution face significant risks from this vulnerability, as it essentially allows attackers to operate with full administrative privileges without requiring authentication credentials. The vulnerability's persistence in the codebase for an extended period before being patched demonstrates the importance of regular security assessments and timely patch management. System administrators should implement immediate mitigations including upgrading to b2evolution version 4.1.7 or later, which includes proper CSRF token implementation and enhanced session management. Additional defensive measures include implementing web application firewalls to monitor for suspicious parameter manipulation patterns, conducting regular security audits of administrative interfaces, and establishing network segmentation to limit the potential impact of successful exploitation. The vulnerability also underscores the critical need for proper input validation and the implementation of the principle of least privilege in administrative components of web applications.