CVE-2020-21126 in MetInfoinfo

Summary

by MITRE • 09/16/2021

MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 09/19/2021

The vulnerability CVE-2020-21126 represents a critical cross-site request forgery weakness in MetInfo version 7.0.0 that specifically affects the administrative interface. This flaw exists within the URL path admin/?n=admin&c=index&a=doSaveInfo which handles administrative configuration updates, making it a prime target for malicious actors seeking unauthorized system modifications. The vulnerability falls under CWE-352, which categorizes cross-site request forgery flaws as a fundamental web application security issue where attackers can trick authenticated users into executing unwanted actions. The administrative context of this endpoint significantly amplifies the risk since successful exploitation would allow attackers to modify critical system configurations, user accounts, or other administrative settings without proper authorization.

The technical implementation of this CSRF vulnerability stems from the absence of proper anti-forgery tokens or validation mechanisms within the administrative save functionality. When an administrator visits a malicious website or clicks on a crafted link, the browser automatically submits requests to the MetInfo administration interface without requiring re-authentication or token verification. This occurs because the doSaveInfo endpoint does not validate the origin of requests or enforce session-specific tokens that would normally prevent unauthorized submissions. The flaw is particularly dangerous because it operates within the core administrative functions of the content management system, potentially allowing attackers to modify website settings, update user credentials, or even inject malicious code through configuration changes.

The operational impact of this vulnerability extends beyond simple data modification, as it creates a pathway for attackers to establish persistent access to the administrative interface and potentially compromise the entire website infrastructure. An attacker could leverage this vulnerability to change administrator passwords, modify website content, install backdoors, or disable security features that protect the system from other attacks. According to ATT&CK framework category T1078, this vulnerability enables adversary access to legitimate accounts through the exploitation of administrative functions, while T1566 covers the initial access vectors that could involve social engineering to trick administrators into visiting malicious sites. The risk is compounded by the fact that administrators often maintain long-lived sessions, making successful CSRF attacks more likely to succeed without detection.

Mitigation strategies for this vulnerability require immediate implementation of proper anti-forgery token validation within the administrative endpoints. Organizations should ensure that all administrative functions validate request origins and implement unique tokens for each session that must be present in every administrative request. The fix should include implementing the same-origin policy enforcement and requiring explicit user confirmation for administrative actions through CSRF tokens that are generated per session and validated server-side. Additionally, implementing proper session management with automatic timeouts and monitoring for unusual administrative activities can help detect potential exploitation attempts. Security patches should be applied immediately to all affected MetInfo installations, and administrators should be educated about the dangers of visiting untrusted websites while logged into administrative interfaces. Organizations should also consider implementing web application firewalls to detect and block suspicious administrative request patterns that could indicate CSRF attack attempts.

Reservation

08/13/2020

Disclosure

09/16/2021

Moderation

accepted

CPE

ready

EPSS

0.00612

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!