CVE-2018-8717

Name of the Vulnerable Software and Affected Versions joyplus-cms version 1.6.0

Description The issue allows for CSRF, as demonstrated by adding an administrator account via a "manager/admin ajax.php?action=save&tab={pre}manager" request. This can be exploited by sending a malicious request to the manager/admin ajax.php endpoint with the action parameter set to save and the tab parameter set to a specific value, potentially allowing an attacker to add an administrator account.

Recommendations For joyplus-cms version 1.6.0, consider implementing proper CSRF protection mechanisms, such as token-based validation, to prevent unauthorized requests to the manager/admin ajax.php endpoint. As a temporary workaround, restrict access to the manager/admin ajax.php endpoint to minimize the risk of exploitation.