PT-2018-10237 · Sdcms · Sdcms
Publicado
2018-05-12
·
Atualizado
2018-06-18
·
CVE-2018-11004
CVSS v3.1
8.8
Alta
| Vetor | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SDcms version 1.5
Description
A cross-site request forgery (CSRF) issue allows remote attackers to add administrator accounts. This is possible via the "/WWW//app/admin/controller/admincontroller.php" endpoint with parameters such as
m=admin, c=admin, and a=add.Recommendations
For SDcms version 1.5, as a temporary workaround, consider disabling the
add functionality in the admin controller until a patch is available. Restrict access to the "/WWW//app/admin/controller/admincontroller.php" endpoint to minimize the risk of exploitation. Avoid using the parameters m, c, and a in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
CSRF
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Sdcms