CVE-2022-44387 EyouCMS V1.5.9-UTF8-SP1 had a CSRF vulnerability in the Basic Information component of the Edit Member module.

CVE-2022-44387 EyouCMS V1.5.9-UTF8-SP1 had a CSRF vulnerability in the Basic Information component of the Edit Member module.

An attacker could exploit this issue to force the user to login via CSRF if they have access to the backend system. In certain cases, it is possible to perform a remote code execution (RCE) attack. The following components were affected by this issue: - The system administrator profile - The administrator group - The Advanced settings module - The Enable/Disable Voting settings module - The Enable/Disable Poll settings module - The Global statistics module - The Search settings module - The Basic information component

Vulnerability overview

A vulnerability was identified in Drupal 7 and has been fixed as of the release of this version.
The vulnerability in question was identified by a security researcher who found that the system administrator profile, administrator group, Advanced settings module, Enable/Disable Voting settings module, Enable/Disable Poll settings module and Global statistics module did not require CSRF protection.

System administrator profile

The system administrator profile allows the user to make changes to the backend. The following components were affected by this issue: - The system administrator profile - The administrator group
If an attacker can access a vulnerable system, they may be able to force the user's browser to make requests against the application. This could allow the attacker to perform a remote code execution (RCE) attack.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe