Furykangaroo

**Name of the Vulnerable Software and Affected Versions** Frog CMS version 0.9.5 **Description** The issue concerns a CSRF vulnerability in the admin interface, specifically affecting the "user/edit/1" endpoint. This could potentially allow unauthorized actions to be performed on user accounts. **Recommendations** For Frog CMS version 0.9.5, consider implementing proper CSRF token validation to prevent unauthorized requests to the "admin/?/user/edit/1" endpoint. As a temporary workaround, restrict access to this endpoint until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** Cscms version 4 **Description** The issue allows for CSRF attacks, enabling unauthorized actions such as creating a member, authenticating vip members, creating a super administrator, and creating a web editor through specific API endpoints: "upload/admin.php/user/save", "upload/admin.php/user/init/tid", and "upload/admin.php/user/init/rzid" and "upload/admin.php/sys/save". **Recommendations** For Cscms version 4, as a temporary workaround, consider disabling access to the "upload/admin.php/user/save", "upload/admin.php/user/init/tid", "upload/admin.php/user/init/rzid", and "upload/admin.php/sys/save" endpoints until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OneThink version 1.1.141212 **Description** The issue allows for Cross-Site Request Forgery (CSRF) attacks, which can be used to perform unauthorized actions on the application. Specifically, it affects the addition of pages via "admin.php?s=/Channel/add.html", the addition of blogs via "admin.php?s=/Article/update.html", and the setting of the audit state via "admin.php?s=/Article/setStatus/status/1.html". **Recommendations** For OneThink version 1.1.141212, as a temporary workaround, consider disabling the affected API endpoints "admin.php?s=/Channel/add.html", "admin.php?s=/Article/update.html", and "admin.php?s=/Article/setStatus/status/1.html" until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CraftedWeb through 2013-09-24 **Description** The issue is related to reflected XSS, which can be triggered via the `p` parameter. This allows for potential malicious script injection. **Recommendations** For versions through 2013-09-24, avoid using the `p` parameter in affected endpoints until a fix is applied. As a temporary workaround, consider restricting access to the vulnerable parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** AuraCMS version 2.3 **Description** An issue was discovered that allows a CSRF vulnerability, enabling an attacker to change the administrator's password via the "admin.php?mod=users" endpoint and subsequently add a page or menu, or submit a topic. **Recommendations** For AuraCMS version 2.3, as a temporary workaround, consider restricting access to the "admin.php?mod=users" endpoint until a patch is available. Additionally, restrict the ability to add pages, menus, or submit topics to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EmpireCMS version 7.0 **Description** A CSRF issue allows adding administrators via the "upload/e/admin/user/AddUser.php?enews=AddUser" endpoint. This can be exploited to add new administrators without proper authorization. **Recommendations** For EmpireCMS version 7.0, consider disabling access to the "upload/e/admin/user/AddUser.php?enews=AddUser" endpoint until a patch is available to prevent unauthorized addition of administrators.

**Name of the Vulnerable Software and Affected Versions** Cscms version 4.1.8 **Description** An issue was discovered that allows modification of a website's basic configuration via a CSRF vulnerability. This can be exploited through the "upload/admin.php/setting/save" API endpoint. **Recommendations** For Cscms version 4.1.8, as a temporary workaround, consider restricting access to the "upload/admin.php/setting/save" API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.