Cross-site request forgery in CMS Made Simple - CVE-2016-7904
Published: January 16, 2017 / Updated: January 16, 2017
Vulnerability identifier: #VU4755
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-7904
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: cmsmadesimple.org
Affected software:
CMS Made Simple
CMS Made Simple
Detailed vulnerability description
The vulnerability allows a remote attacker to perform CSRF attacks.
The vulnerability exists due to improper validation of the HTTP request origin in "admin/adduser.php" script. A remote attacker can create a specially specially crafted web page, trick the authenticated victim into visiting it, perform cross-site request forgery attack and hijack the authentication of administrators for requests that create accounts.
Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable website.
How to mitigate CVE-2016-7904
Update to version 2.1.6