PT-2018-18707 · Frog Cms · Frog Cms

Samrat Das

Published

2018-03-31

Updated

2018-05-09

CVE-2018-8908

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Frog CMS version 0.9.5

Description The issue is related to the lack of an anti-CSRF token in state modification requests, specifically in the "add user" functionality. This allows a malicious user to craft an HTML page that can trick a victim into creating a new user with admin privileges when clicked. The vulnerable endpoint is "/admin/?/user/add".

Recommendations For Frog CMS version 0.9.5, consider implementing an anti-CSRF token in state modification requests to prevent cross-site request forgery attacks. As a temporary workaround, restrict access to the "/admin/?/user/add" endpoint to minimize the risk of exploitation.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2018-8908

Affected Products

Frog Cms

PT-2018-18707 · Frog Cms · Frog Cms

CVE-2018-8908

Weakness Enumeration

Related Identifiers

Affected Products

References · 4