CVE-2024-35009

Name of the Vulnerable Software and Affected Versions idccms version 1.35

Description The issue is related to a Cross-Site Request Forgery (CSRF) in the component /admin/share switch.php. This component is vulnerable due to the presence of certain parameters, including mudi, dataType, fieldName, fieldName2, tabName, and dataID. The specific API endpoint /admin/share switch.php is used with parameters such as mudi=switch, dataType=, fieldName=state, fieldName2=state, tabName=banner, and dataID=6.

Recommendations For idccms version 1.35, as a temporary workaround, consider restricting access to the /admin/share switch.php endpoint until a patch is available. Avoid using the parameters mudi, dataType, fieldName, fieldName2, tabName, and dataID in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.