Wondercms
CVE-2017-7951
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context.
AnalysisAI
WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context. Affected products include: Wondercms. Version information: before 2.0.3.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code
A cross-site scripting (XSS) vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbit
An issue was discovered in WonderCMS before 2.5.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
A Server-Side Request Forgery (SSRF) in the installUpdateThemePluginAction function of WonderCMS v3.1.3 allows attackers
Wonder CMS 2014 allows remote attackers to obtain sensitive information by viewing /files/password, which reveals the un
WonderCMS 3.5.0 is vulnerable to Server-Side Request Forgery (SSRF) in the custom module installation functionality. Rat
Cross-site scripting (XSS) vulnerability in Wonder CMS 2014 allows remote attackers to inject arbitrary web script or HT
Multiple cross-site scripting (XSS) vulnerabilities in the HOW TO page of WonderCMS v3.4.3 allows attackers to execute a
A cross-site scripting (XSS) vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbit
Directory traversal vulnerability in index.php in Wonder CMS 2014 allows remote attackers to include and execute arbitra
PHP remote file inclusion vulnerability in editInplace.php in Wonder CMS 2014 allows remote attackers to execute arbitra
A cross-site scripting (XSS) vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbit
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today