nodCMS Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in nodCMS. This issue allows attackers to perform unauthorized administrative actions by creating malicious forms. Exploitation involves tricking authenticated administrators into submitting requests to specific admin endpoints, such as 'admin/user_manipulate' and 'admin/settings/generall'. This could result in the creation of new users or unauthorized modifications to application settings, all without the affected administrator's consent.

Impact

Exploitation of this vulnerability could lead to unauthorized administrative actions, such as creating users or altering application settings, potentially allowing for further exploitation or misuse of the application.

Reproduction

To reproduce this vulnerability, an attacker must create a form that submits a POST request to the 'admin/user_manipulate' endpoint, including the necessary user data, such as username, email, fullname, password, and status. This form can then be presented to an authenticated administrator, who, upon submission, will unintentionally create a new user with the specified details. Alternatively, for the 'admin/settings/generall' endpoint, a similar form can be crafted to submit application settings, including potentially harmful data such as a script tag for cross-site scripting (XSS) exploitation.