Redaxo CMS Cross-Site Request Forgery Vulnerability Allowing Unauthorized Admin Account Creation

A cross-site request forgery (CSRF) vulnerability exists in Redaxo CMS version 5.2. This issue allows unauthenticated attackers to create administrative user accounts by deceiving authenticated administrators into visiting malicious websites. Exploitation involves crafting HTML forms with hidden fields that contain admin credentials and account details, which are then submitted to the users endpoint, bypassing user consent.

Impact

Exploitation of this vulnerability could lead to unauthorized administrative access on the affected Redaxo CMS instance.

Reproduction

To reproduce this vulnerability, an attacker must create a malicious webpage that includes an HTML form targeting the Redaxo users endpoint. This form should be pre-filled with the necessary admin credentials and account parameters, such as username, email, and password. Once the form is submitted, a new admin account will be created on the Redaxo CMS without the user's consent.