CVE-2020-19669

Name of the Vulnerable Software and Affected Versions: Eyoucms version 1.3.6

Description: A Cross Site Request Forgery (CSRF) issue exists, allowing an attacker to add an admin account via the /login.php?m=admin&c=Admin&a=admin add&lang=cn API endpoint. This can be exploited by manipulating the m, c, a, and lang variables.

Recommendations: For Eyoucms version 1.3.6, as a temporary workaround, consider disabling access to the /login.php?m=admin&c=Admin&a=admin add&lang=cn endpoint until a patch is available. Restrict the use of the m, c, a, and lang variables in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.