Qool CMS Cross-Site Request Forgery Vulnerability in Add User Functionality
Vulnerability
A cross-site request forgery (CSRF) vulnerability has been identified in Qool CMS version 2.0 RC2. This vulnerability allows attackers to perform administrative actions by deceiving logged-in users into visiting malicious web pages. Exploitation involves forging POST requests to the '/admin/adduser' endpoint, using parameters such as username, password, email, and user level. This could result in the creation of root-level user accounts without the user's consent.
Impact
Exploitation of this vulnerability allows for unauthorized administrative actions, including the creation of root-level user accounts.
Reproduction
To reproduce this vulnerability, a forged POST request must be sent to the '/admin/adduser' endpoint. This request should include the 'username', 'password', 'email', and 'level' parameters. If a logged-in user is tricked into visiting a page that sends this request, the vulnerability is successfully exploited.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.