CVE-2018-16345

Name of the Vulnerable Software and Affected Versions EasyCMS version 1.5

Description An issue was discovered that allows for a CSRF vulnerability, enabling the update of the admin password. This is achieved via the index.php?s=/admin/rbacuser/update/navTabId/listusers/callbackType/closeCurrent endpoint, by exploiting the lack of proper CSRF protection.

Recommendations For EasyCMS version 1.5, consider implementing proper CSRF protection mechanisms to prevent unauthorized updates to the admin password, such as validating tokens for requests made to the index.php?s=/admin/rbacuser/update/navTabId/listusers/callbackType/closeCurrent endpoint.