CVE-2011-5318

Name of the Vulnerable Software and Affected Versions diafan.CMS versions prior to 5.1

Description The issue allows remote attackers to hijack the authentication of administrators for requests. This can be achieved through multiple cross-site request forgery (CSRF) vulnerabilities. Specifically, the vulnerabilities can be exploited to modify articles via a save post action to "admin/news/saveNEWS ID/", modify settings via a save post action to "admin/site/save2/", or modify credentials via a save post action to "admin/usersite/save2/".

Recommendations For diafan.CMS versions prior to 5.1, update to version 5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin/news/saveNEWS ID/", "admin/site/save2/", and "admin/usersite/save2/" API endpoints to minimize the risk of exploitation. Additionally, avoid using the save post action in these endpoints until the issue is resolved.