CVE-2018-11004

Name of the Vulnerable Software and Affected Versions SDcms version 1.5

Description A cross-site request forgery (CSRF) issue allows remote attackers to add administrator accounts. This is possible via the "/WWW//app/admin/controller/admincontroller.php" endpoint with parameters such as m=admin, c=admin, and a=add.

Recommendations For SDcms version 1.5, as a temporary workaround, consider disabling the add functionality in the admin controller until a patch is available. Restrict access to the "/WWW//app/admin/controller/admincontroller.php" endpoint to minimize the risk of exploitation. Avoid using the parameters m, c, and a in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.