CVE-2024-46394 in FrogCMS
Summary
by MITRE • 09/19/2024
FrogCMS v0.9.5 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/?/user/add
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/09/2025
FrogCMS version 0.9.5 contains a critical cross-site request forgery vulnerability that affects the administrative user management functionality. This flaw exists in the URL path /admin/?/user/add which allows unauthorized attackers to perform administrative actions without proper authentication. The vulnerability stems from the absence of proper CSRF protection mechanisms within the application's administrative interface, specifically when creating new user accounts through the add user endpoint. Attackers can exploit this weakness by crafting malicious web pages or email attachments that automatically submit requests to the vulnerable endpoint when victims visit the malicious content, potentially leading to unauthorized user creation with elevated privileges.
The technical implementation of this vulnerability demonstrates a classic CSRF flaw where the application fails to validate the origin of requests or implement anti-CSRF tokens for critical administrative operations. This weakness enables attackers to manipulate the application's behavior through maliciously constructed requests that appear to originate from legitimate administrative sessions. The vulnerability affects the application's authentication and authorization mechanisms by allowing unauthorized users to bypass normal access controls and create new accounts within the CMS system. According to CWE-352, this represents a direct implementation of cross-site request forgery, where the web application fails to validate that requests originate from the same origin as the application's legitimate users.
The operational impact of this vulnerability is severe as it provides attackers with a pathway to escalate privileges within the CMS environment. An attacker who successfully exploits this CSRF vulnerability could create new administrative user accounts with full access to the content management system, potentially leading to complete system compromise. This vulnerability also enables persistent attacks where malicious users can establish backdoor accounts that persist across system sessions, making detection and remediation more challenging. The risk is compounded by the fact that the vulnerability exists in the user management functionality, which is frequently accessed by legitimate administrators, making the attack surface more accessible.
Security mitigations for this vulnerability should focus on implementing robust CSRF protection mechanisms throughout the administrative interface. The recommended approach includes implementing anti-CSRF tokens that are generated for each user session and validated on every administrative request, particularly those that modify system state or user permissions. Additionally, the application should enforce strict origin validation and implement proper session management controls to ensure that requests originate from legitimate sources within the application. Organizations should also consider implementing Content Security Policy headers and other web application firewalls to detect and prevent unauthorized requests. This vulnerability aligns with ATT&CK technique T1078 which describes valid accounts being used to establish persistence and maintain access to systems, while also relating to T1548.001 for privilege escalation through administrative access manipulation. Regular security audits and input validation should be implemented to prevent similar vulnerabilities in other administrative endpoints within the CMS framework.