CVE-2016-20053 in Redaxoinfo

Summary

by MITRE • 04/04/2026

Redaxo CMS 5.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the users endpoint with hidden fields containing admin credentials and account parameters to add new administrator accounts without user consent.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/05/2026

The vulnerability identified as CVE-2016-20053 represents a critical cross-site request forgery flaw within Redaxo CMS version 5.2, classified under CWE-352 which specifically addresses CSRF weaknesses in web applications. This vulnerability exists due to the absence of proper anti-CSRF mechanisms in the user management endpoint, allowing attackers to exploit the trust relationship between the CMS and authenticated administrators. The flaw stems from the application's failure to validate the origin of requests when processing user account creation operations, creating a pathway for malicious actors to manipulate the system through carefully crafted web requests.

The technical implementation of this vulnerability enables attackers to construct malicious HTML pages containing hidden forms that automatically submit requests to the CMS users endpoint. These forms include hidden input fields populated with administrative credentials and account configuration parameters that would normally require explicit user interaction through authenticated sessions. When an administrator visits a page containing such malicious content while logged into the CMS, the browser automatically submits the forged request without their knowledge or consent, effectively creating new administrative accounts with predetermined privileges. This exploitation technique leverages the browser's automatic form submission behavior and the lack of CSRF token validation in the CMS's user management interface.

The operational impact of this vulnerability extends beyond simple privilege escalation, as it provides attackers with complete administrative control over the CMS installation. Once an attacker successfully creates an administrative account, they can modify content, access sensitive data, install malicious plugins, alter user permissions, and potentially use the compromised CMS as a staging ground for further attacks against the underlying web infrastructure. The vulnerability's unauthenticated nature means that attackers do not require initial access credentials, making it particularly dangerous as it can be exploited remotely without prior system compromise. This creates a significant risk for websites relying on Redaxo CMS, as the attack vector can be delivered through various means including phishing emails, compromised websites, or malicious advertisements.

Organizations using Redaxo CMS version 5.2 should immediately implement mitigation strategies focusing on the core CSRF protection mechanisms. The primary recommendation involves implementing proper CSRF token validation for all administrative endpoints, specifically requiring unique tokens that are tied to the user's session and validated server-side before processing any user creation requests. Additionally, organizations should consider implementing Content Security Policy headers to restrict form submissions to trusted origins and ensure that the CMS is updated to a version that includes proper CSRF protection mechanisms. According to ATT&CK framework category TA0001, this vulnerability falls under the Initial Access phase where adversaries establish footholds through web application exploitation, while the privilege escalation aspect aligns with TA0004. The vulnerability also demonstrates characteristics of TA0003 (Persistence) as the newly created administrative accounts can provide long-term access to the compromised system, making regular security audits and monitoring of administrative account creation essential for maintaining system integrity.

Responsible

VulnCheck

Reservation

04/04/2026

Disclosure

04/04/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00146

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!