OOP CMS Blog Cross-Site Request Forgery Vulnerability Allowing Unauthorized Admin Account Creation
Vulnerability
A cross-site request forgery (CSRF) vulnerability has been identified in OOP CMS Blog version 1.0. This vulnerability allows unauthenticated attackers to create administrative user accounts by sending crafted POST requests to the addUser.php endpoint. The requests must include specific parameters such as userName, password, email, and a role designated for administrative privileges. Exploiting this vulnerability could lead to unauthorized access with admin rights.
Impact
Exploitation of this vulnerability allows for the creation of admin accounts, granting unauthorized users administrative privileges on the blog.
Reproduction
To reproduce this vulnerability, send a POST request to the addUser.php endpoint with the required parameters: userName, password, email, and role set to 'Admin'. This can be done manually or by using a crafted form that submits the necessary information. Once the request is processed, the new admin account will be created and can be used to log in.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.