Zhenfeng13 My-Blog Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in Zhenfeng13 My-Blog versions through 1.0.0. The issue arises from the lack of CSRF protection in the file '/admin/tags/save', specifically related to the 'tagName' argument. This vulnerability allows remote attackers to initiate CSRF attacks, potentially targeting admin users, especially when combined with existing cross-site scripting (XSS) vulnerabilities.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of an admin user, potentially allowing for administrative privileges to be misused or abused.

Reproduction

To reproduce this vulnerability, send a request to the '/admin/tags/save' endpoint without including CSRF protection. Manipulate the 'tagName' argument to initiate a cross-site request forgery attack. This can be done by exploiting the absence of CSRF safeguards, particularly if the target admin user is tricked into interacting with the malicious request.