Cross-site request forgery in WonderCMS



Published: 2017-06-21
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID N/A
CWE-ID CWE-352
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe 		WonderCMS
Client/Desktop applications / Other client software

Vendor WonderCMS

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Cross-site request forgery

EUVDB-ID: #VU7156

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform CSRF attack.

The vulnerability exists due to insufficient validation of the HTTP request origin when creating new website pages. A remote attacker can trick the victim to follow a specially crafted link and create arbitrary website pages.

Mitigation

Update to version 2.2.0.

Vulnerable software versions

WonderCMS: 2.1.0

External links

http://packetstormsecurity.com/files/143042/wondercms210-xsrf.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###