CVE-2010-5319

Name of the Vulnerable Software and Affected Versions Kandidat CMS version 1.4.2

Description The issue allows remote attackers to hijack the authentication of administrators for requests. This can be achieved through multiple cross-site request forgery (CSRF) vulnerabilities. Specifically, the vulnerabilities enable modification of settings via the "validate" action to "admin/settings.php", modification of pages via the what parameter to "admin/edit.php", or modification of articles via the edit parameter to "admin/news.php".

Recommendations For Kandidat CMS version 1.4.2, consider implementing CSRF protection mechanisms, such as tokens, to prevent unauthorized requests. As a temporary workaround, restrict access to the admin panels, specifically "admin/settings.php", "admin/edit.php", and "admin/news.php", to minimize the risk of exploitation. Avoid using the what and edit parameters in the affected API endpoints until the issue is resolved.