CVE-2018-25200

Name of the Vulnerable Software and Affected Versions OOP CMS BLOG version 1.0

Description The software is susceptible to a cross-site request forgery issue. Unauthenticated attackers can create administrative user accounts by submitting specially designed POST requests. The attack targets the /addUser.php endpoint, utilizing parameters such as userName, password, email, and role to grant unauthorized administrative privileges.

Recommendations Apply a fix to prevent unauthenticated attackers from submitting requests to the /addUser.php endpoint. Ensure proper CSRF protection mechanisms are implemented for the /addUser.php endpoint. Restrict access to the /addUser.php endpoint to authenticated users only.