EUVD-2013-7290CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionNVD
Qool CMS 2.0 RC2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious web pages. Attackers can forge POST requests to the /admin/adduser endpoint with parameters like username, password, email, and level to create root-level user accounts without user consent.
AnalysisAI
Qool CMS 2.0 RC2 is vulnerable to cross-site request forgery (CSRF) that allows unauthenticated attackers to perform administrative actions on behalf of authenticated users. An attacker can craft malicious web pages that, when visited by a logged-in administrator, silently forge POST requests to the /admin/adduser endpoint to create root-level user accounts, resulting in unauthorized administrative access. The CVSS 5.3 score reflects moderate integrity impact with network attack vector and no privilege requirement, though the vulnerability requires user interaction (visiting a malicious page) to be exploited.
Technical ContextAI
The vulnerability stems from inadequate CSRF token validation in Qool CMS 2.0 RC2's administrative user creation functionality, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The /admin/adduser endpoint accepts POST requests containing username, password, email, and user level parameters without verifying a valid, per-session CSRF token or same-origin request headers. This allows an attacker to craft cross-origin POST requests via HTML forms or JavaScript that bypass the same-origin policy when a victim with active administrator credentials visits an attacker-controlled domain. The root cause is the absence of cryptographic CSRF protection mechanisms, which are fundamental to secure web application design. Qool CMS is a content management system targeted at small-to-medium deployments; the affected version 2.0 RC2 indicates this was a release candidate build, suggesting it may have had limited security review.
RemediationAI
Immediately upgrade Qool CMS to the latest available stable version; contact the Qool CMS vendor or consult their security advisory to confirm that current releases have addressed this CSRF vulnerability. If upgrading is not immediately feasible, implement the following mitigations: (1) enforce the use of cryptographic CSRF tokens (synchronizer tokens or double-submit cookies) on all state-changing administrative endpoints, particularly /admin/adduser; (2) add SameSite=Strict or SameSite=Lax cookie attributes to all session cookies to prevent cross-site request forgery; (3) implement Content-Security-Policy (CSP) headers to restrict form submission origins; (4) require re-authentication for sensitive administrative actions such as user creation; (5) restrict administrative panel access to a whitelist of trusted IP addresses or require VPN access. Additionally, audit existing user accounts for unauthorized root-level accounts created during any period when the system was exposed, and review administrative action logs for suspicious account creation events.
Share
External POC / Exploit Code
Leaving vuln.today