b2evolution Cross-Site Request Forgery Vulnerability in Admin Account Modification

A cross-site request forgery (CSRF) vulnerability has been identified in b2evolution version 7.2.2. This vulnerability allows attackers to modify admin account details without authentication. By crafting a malicious HTML form, attackers can submit unauthorized changes to user profiles, potentially leading to unauthorized account modifications.

Impact

Exploitation of this vulnerability allows for unauthorized changes to be made to admin account details, including personal information and account settings.

Reproduction

To reproduce this vulnerability, an attacker must create a malicious HTML form that includes specific fields corresponding to the user account details they wish to change. This form should be hosted on a webpage that the victim is likely to visit. When the victim loads the page, the form will be submitted automatically, without their knowledge, to the b2evolution admin account management script.

Remediation

Users are advised to upgrade to b2evolution version 7.2.5, which addresses this vulnerability.