CVE-2018-16448

Name of the Vulnerable Software and Affected Versions Cscms version 4

Description The issue allows for CSRF attacks, enabling unauthorized actions such as creating a member, authenticating vip members, creating a super administrator, and creating a web editor through specific API endpoints: "upload/admin.php/user/save", "upload/admin.php/user/init/tid", and "upload/admin.php/user/init/rzid" and "upload/admin.php/sys/save".

Recommendations For Cscms version 4, as a temporary workaround, consider disabling access to the "upload/admin.php/user/save", "upload/admin.php/user/init/tid", "upload/admin.php/user/init/rzid", and "upload/admin.php/sys/save" endpoints until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.