CVE-2014-4718

Name of the Vulnerable Software and Affected Versions Lunar CMS versions prior to 3.3-3

Description The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow remote attackers to hijack the authentication of administrators for specific requests. This can be achieved through requests to add Super users via "admin/user create.php" or by conducting cross-site scripting (XSS) attacks via the email or subject parameters in "contact form.ext.php" to "admin/extensions.php".

Recommendations For Lunar CMS versions prior to 3.3-3, update to version 3.3-3 or later to resolve the issue. As a temporary workaround, consider restricting access to "admin/user create.php" and "admin/extensions.php" to minimize the risk of exploitation. Additionally, avoid using the email and subject parameters in the affected API endpoints until the issue is resolved.