CVE-2019-25682 — MEDIUM (4.3)

Vulnerability Description

CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting crafted pages that submit POST requests to the users.php endpoint with parameters like source=add_user, source=edit_user, or del=1 to create, modify, or delete admin accounts.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Victoralagwu	Cmssite	1.0

Related Weaknesses (CWE)

CWE-352

References

https://github.com/VictorAlagwu/CMSsiteProduct
https://www.exploit-db.com/exploits/46480ExploitVDB Entry
https://www.vulncheck.com/advisories/cmssite-cross-site-request-forgery-via-userThird Party Advisory

FAQ

What is CVE-2019-25682?

CVE-2019-25682 is a vulnerability with a CVSS score of 4.3 (MEDIUM). CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Attackers can trick authenticated...

How severe is CVE-2019-25682?

CVE-2019-25682 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-25682?

Check the references section above for vendor advisories and patch information. Affected products include: Victoralagwu Cmssite.