CVE-2024-23094 in flusityinfo

Summary

by MITRE • 02/22/2024

Flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /cover/addons/info_media_gallery/action/edit_addon_post.php

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 06/08/2025

The vulnerability identified as CVE-2024-23094 affects Flusity-CMS version 2.33 and represents a critical Cross-Site Request Forgery flaw that undermines the application's security posture. This CSRF vulnerability exists within the specific component path /cover/addons/info_media_gallery/action/edit_addon_post.php, which suggests the issue is tied to media gallery management functionality within the content management system. The flaw allows attackers to manipulate the CMS behavior through forged requests that appear legitimate to the system.

The technical implementation of this CSRF vulnerability stems from the absence of proper anti-CSRF mechanisms within the targeted PHP script. When users navigate to the media gallery management interface and perform actions such as editing or adding media content, the application fails to validate the authenticity of the request origin. This validation gap enables malicious actors to craft specially crafted requests that, when executed by authenticated users, perform unauthorized operations within the CMS context. The vulnerability specifically impacts the edit_addon_post.php endpoint, indicating that modifications to media gallery components are susceptible to this attack vector.

The operational impact of this CSRF vulnerability is significant as it provides attackers with the capability to execute unauthorized modifications to the CMS media gallery functionality. An attacker could potentially add malicious media files, modify existing gallery configurations, or manipulate media content in ways that compromise the integrity of the website. This could lead to defacement of the website, injection of malicious content, or disruption of legitimate media management operations. The vulnerability is particularly dangerous because it operates within a core content management component, potentially allowing attackers to gain persistent access to media assets and associated metadata.

From a cybersecurity perspective, this vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in software applications. The flaw also maps to ATT&CK technique T1566.001, which covers social engineering through spearphishing with a link, as attackers could exploit this vulnerability through malicious links delivered via phishing campaigns. Organizations using Flusity-CMS v2.33 should prioritize immediate remediation through the implementation of anti-CSRF tokens within the affected endpoint. The recommended mitigation involves adding unique, unpredictable tokens to all state-changing requests and validating these tokens server-side before processing any modifications. Additionally, implementing proper referer header validation and SameSite cookie attributes would provide additional layers of protection. The vulnerability demonstrates the critical importance of maintaining robust session management and request validation mechanisms, particularly within content management systems where users perform frequent administrative actions. Organizations should also consider implementing web application firewalls and monitoring for suspicious request patterns that could indicate CSRF attack attempts.

Reservation

01/11/2024

Disclosure

02/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00296

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!