CVE-2024-39020

Name of the Vulnerable Software and Affected Versions idccms version 1.35

Description A Cross-Site Request Forgery (CSRF) issue was discovered in idccms via the "/admin/vpsApiData deal.php" endpoint, specifically when the mudi and nohrefStr parameters are set to 'rev' and 'close', respectively. This allows for unauthorized actions to be performed.

Recommendations For idccms version 1.35, as a temporary workaround, consider disabling access to the "/admin/vpsApiData deal.php" endpoint until a patch is available. Restrict the use of the mudi and nohrefStr parameters in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.