CVE-2023-45902 in Dreamerinfo

Summary

by MITRE • 10/25/2023

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/attachment/delete.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/12/2026

The vulnerability identified as CVE-2023-45902 affects Dreamer CMS version 4.1.3 and represents a critical Cross-Site Request Forgery flaw within the administrative attachment deletion functionality. This issue resides in the /admin/attachment/delete component which lacks proper CSRF protection mechanisms, allowing authenticated attackers with administrative privileges to execute unauthorized actions on behalf of legitimate users. The vulnerability stems from the absence of anti-CSRF tokens or similar validation controls that would normally verify the authenticity of requests originating from the intended administrative interface.

The technical implementation of this flaw demonstrates a classic CSRF attack vector where an attacker can craft malicious requests that target the vulnerable deletion endpoint. When an authenticated administrator visits a malicious website or clicks on a compromised link, the attacker can trigger the deletion of attachments without the administrator's knowledge or explicit consent. This vulnerability operates at the application layer and specifically targets the CMS's administrative functionality, making it particularly dangerous as it allows for potential data destruction and system compromise. The flaw aligns with CWE-352, which specifically addresses Cross-Site Request Forgery vulnerabilities in software applications.

The operational impact of this vulnerability extends beyond simple data loss, as it can enable more sophisticated attack chains within the CMS environment. An attacker could leverage this CSRF vulnerability to delete critical system files, attachments, or media assets that may contain sensitive information or are essential for system operation. The attack requires only that the target administrator be authenticated to the Dreamer CMS administrative interface, which significantly lowers the attack threshold. This makes the vulnerability particularly concerning in environments where administrators frequently browse untrusted websites or where the CMS is deployed in high-risk network environments. The issue also potentially violates security best practices outlined in the OWASP Top Ten and NIST cybersecurity guidelines for web application security.

Mitigation strategies for this CSRF vulnerability should focus on implementing robust anti-CSRF protection mechanisms within the Dreamer CMS administrative components. The most effective approach involves implementing proper CSRF token validation for all state-changing operations within the admin interface, including the attachment deletion functionality. Organizations should ensure that all administrative endpoints require valid anti-CSRF tokens that are generated per session and validated on each request. Additionally, implementing the SameSite cookie attributes and Content Security Policy headers can provide additional layers of protection. The fix should align with ATT&CK technique T1566.002 which covers the exploitation of web application vulnerabilities for privilege escalation and unauthorized access. Organizations should also conduct thorough security testing including penetration testing to verify that the implemented CSRF protections are effective and that no other similar vulnerabilities exist within the CMS administrative interface.

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!