XiaoBingby TeaCMS Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in XiaoBingby TeaCMS version 2.0.2. The issue arises in the UserManageController's addUser function, where an unknown functionality can be manipulated to perform unauthorized actions. This vulnerability can be exploited remotely, and the details of the exploit have been made public.

Impact

Exploitation of this vulnerability allows for cross-site request forgery, where an attacker can trick a user into performing actions without their consent, potentially leading to unauthorized changes or data manipulation within the application.

Reproduction

To reproduce this vulnerability, log into the application as an administrator and navigate to the user management section. After adding a user, intercept the request using a web application proxy. Create a CSRF proof of concept by replicating the intercepted request and including it in a malicious link. Simulate an administrator click on this link to trigger the CSRF attack, which will result in the unauthorized addition of a user.