CVE-2019-20390

Name of the Vulnerable Software and Affected Versions Subrion CMS version 4.2.1

Description A Cross-Site Request Forgery (CSRF) issue allows a remote attacker to remove files on the server without the victim's knowledge. This is achieved by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a "panel/uploads/read.json?cmd=rm" URL and send it to the victim.

Recommendations For Subrion CMS version 4.2.1, update to a version that includes a fix for this issue, as the current version fails to validate the CSRF token for GET requests, allowing attackers to remove files on the server. As a temporary workaround, consider restricting access to the "panel/uploads/read.json" endpoint to minimize the risk of exploitation.