CVE-2019-8347

Name of the Vulnerable Software and Affected Versions BEESCMS version 4.0

Description The issue allows for the addition of arbitrary VIP accounts due to a CSRF vulnerability. This can be exploited via the "admin/admin member.php?action=add&nav=add web user&admin p nav=user" URI, which is an API endpoint. The action, nav, and admin p nav variables are involved in this process.

Recommendations For BEESCMS version 4.0, as a temporary workaround, consider restricting access to the "admin/admin member.php" endpoint to minimize the risk of exploitation. Avoid using the action, nav, and admin p nav variables in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.