Lipeiyi

bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts with arbitrary credentials without requiring explicit user consent.

**Name of the Vulnerable Software and Affected Versions** BloofoxCMS version 0.5.2.1 **Description** BloofoxCMS contains a stored cross-site scripting issue. Authenticated attackers can inject malicious scripts through the `text` parameter in the articles section. This allows for the execution of scripts and potential theft of authenticated users' cookies. **Recommendations** Apply updates to address the issue in the articles section. As a temporary workaround, sanitize all input to the `text` parameter to prevent script injection.