InstantCMS Cross-Site Request Forgery Vulnerability Allowing Privilege Escalation and Unauthorized Actions

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in InstantCMS versions prior to 2.18.1. The issue arises because the application does not properly validate CSRF tokens, enabling attackers to perform various actions on behalf of users. These actions include granting moderator privileges, executing scheduled tasks, moving posts to the trash, and accepting friend requests. The vulnerability can be exploited by manipulating POST requests into GET requests, taking advantage of the lack of CSRF token verification on sensitive actions.

Impact

Exploitation of this vulnerability allows for unauthorized actions to be performed on behalf of users, including administrative tasks such as moderating content and managing scheduled operations.

Reproduction

To reproduce this vulnerability, log into InstantCMS as an administrator. Navigate to the 'admin/ctypes' endpoint and click on the permissions icon for the news category. This action sends a POST request to add a user as a moderator, but without a CSRF token. By converting this request to a GET request and including it in a rich text editor, the vulnerability can be exploited. Similar methods can be used to move posts to the trash, execute scheduled tasks, and accept friend requests on behalf of users.

Remediation

Users are advised to update to InstantCMS version 2.18.1, where this vulnerability has been addressed.