Primary

Context

Snews CMS Cross-Site Request Forgery Vulnerability Allowing Unauthorized Credential Changes

Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in Snews CMS version 1.7. This vulnerability allows attackers to change administrator credentials without authentication. By crafting malicious HTML forms, attackers can trick authenticated administrators into submitting POST requests that modify the admin username and password. This exploitation can lead to unauthorized access.

Impact

Exploitation of this vulnerability allows for unauthorized changes to administrator credentials, potentially leading to unauthorized administrative access.

Reproduction

To reproduce this vulnerability, create a hidden HTML form that submits POST requests to the 'changeup' action. Include the new username and password values in the form. When an authenticated administrator visits the page with the hidden form, the credentials will be changed without their knowledge.

Added: Apr 4, 2026, 2:30 PM

Updated: Apr 4, 2026, 2:30 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.0

exploitability

7.7

remediation

0.0

relevance

5.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.0

exploitability

7.7

remediation

0.0

relevance

5.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Snews CMS Cross-Site Request Forgery Vulnerability Allowing Unauthorized Credential Changes

Vulnerability

Impact

Reproduction

Affected Products

Snews CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating