vendor:
PHP NEWS
by:
Meryem AKDOĞAN
8,8
CVSS
HIGH
Cross-Site Request Forgery
352
CWE
Product Name: PHP NEWS
Affected Version From: 1.3.0
Affected Version To: 1.3.0
Patch Exists: NO
Related CWE: N/A
CPE: a:newsphp:php_news:1.3.0
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: PHP
2016
PHP NEWS 1.3.0 – Cross-Site Request Forgery (Add Admin)
PHP NEWS 1.3.0 versions is vulnerable to CSRF attack (No CSRF token in place) meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted to (http://sitename/path/index.php) that will change admin password. Once exploited, the attacker can login to the admin panel using the username and the password he posted in the form.
Mitigation:
Implement CSRF tokens to prevent CSRF attacks.
