CVE-2018-25190

Name of the Vulnerable Software and Affected Versions Easyndexer version 1.0

Description The software contains a cross-site request forgery issue that permits unauthenticated attackers to create administrative accounts. This is achieved by submitting crafted POST requests. Attackers can create malicious web pages that submit POST requests to the ''createuser.php'' endpoint. The request includes parameters such as username, password, name, surname, and privileges. Setting privileges to 1 grants administrator access.

Recommendations Apply a fix to prevent the creation of administrative accounts via forged POST requests to the ''createuser.php'' endpoint.