CVE-2018-10127

Name of the Vulnerable Software and Affected Versions: XYHCMS version 3.5

Description: An issue was discovered that allows CSRF via an "index.php?g=Manage&m=Rbac&a=addUser" request, resulting in the addition of an account with the administrator role.

Recommendations: For XYHCMS version 3.5, consider implementing CSRF protection measures to prevent unauthorized requests to the "index.php?g=Manage&m=Rbac&a=addUser" endpoint, such as validating tokens or using same-site cookies, until a patch is available.