CVE-2018-25186 in Stack
Summary
by MITRE • 03/06/2026
Tina4 Stack 1.0.3 contains a cross-site request forgery vulnerability that allows attackers to modify admin user credentials by submitting forged POST requests to the profile endpoint. Attackers can craft HTML forms targeting the /kim/profile endpoint with hidden fields containing malicious user data like passwords and email addresses to update administrator accounts without authentication.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/16/2026
The vulnerability identified as CVE-2018-25186 affects Tina4 Stack version 1.0.3 and represents a critical cross-site request forgery flaw that directly compromises administrative account security. This vulnerability resides in the application's profile management functionality where the system fails to implement proper anti-CSRF measures, creating an exploitable condition that allows unauthenticated attackers to manipulate administrator credentials through carefully crafted malicious requests. The issue manifests specifically within the /kim/profile endpoint which serves as the target for forged POST requests that can alter sensitive user information including passwords and email addresses.
The technical implementation of this vulnerability stems from the absence of anti-CSRF tokens in the web application's authentication flow. When users access the profile management interface, the application does not validate the origin of requests or verify that they originate from legitimate authenticated sessions. This design flaw enables attackers to construct HTML forms that automatically submit malicious POST requests to the vulnerable endpoint without requiring any authentication credentials. The attacker can embed hidden form fields containing crafted user data that will be processed by the backend system as legitimate updates to administrator accounts.
From an operational perspective, this vulnerability presents a severe risk to system security as it allows attackers to gain unauthorized access to administrative privileges without proper authentication. The impact extends beyond simple credential theft since successful exploitation can lead to complete system compromise, allowing attackers to modify user accounts, access sensitive data, and potentially establish persistent backdoors within the application environment. The vulnerability is particularly dangerous because it operates silently without requiring user interaction beyond visiting a malicious webpage, making it difficult to detect and prevent through traditional user awareness measures.
The flaw aligns with CWE-352, which specifically addresses Cross-Site Request Forgery vulnerabilities, and corresponds to techniques documented in the MITRE ATT&CK framework under T1078 for valid accounts and T1566 for phishing. Organizations affected by this vulnerability should immediately implement CSRF token validation mechanisms, ensure proper session management controls, and conduct thorough security assessments of all web application endpoints. Additionally, the application should be updated to a patched version that includes proper anti-CSRF protections, and administrators should review access logs for potential exploitation attempts. Network segmentation and web application firewalls can provide additional layers of defense while the core vulnerability is addressed through proper code remediation and security hardening measures.