bloofoxCMS Cross-Site Request Forgery Vulnerability in User Addition

A cross-site request forgery (CSRF) vulnerability has been identified in bloofoxCMS version 0.5.2.1. This vulnerability allows attackers to perform administrative actions by deceiving logged-in users into visiting malicious websites. Exploitation involves crafting hidden forms that target the admin user creation endpoint, enabling the addition of new administrative accounts with arbitrary credentials, all without explicit user consent.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access through the creation of new admin accounts.

Reproduction

To reproduce this vulnerability, a logged-in admin user must be tricked into visiting a crafted webpage. This page should contain a script that automatically submits a form to the admin user creation endpoint, including the desired username and password details. Once the form is submitted, a new admin account will be created with the specified credentials.