Skip to main content

Tuzicms CVE-2018-10185

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2018-04-17 cve@mitre.org
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 17, 2018 - 19:29 nvd
HIGH 8.8

DescriptionNVD

An issue was discovered in TuziCMS v2.0.6. There is a CSRF vulnerability that can add an admin account, as demonstrated by a history.pushState call.

AnalysisAI

An issue was discovered in TuziCMS v2.0.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. An issue was discovered in TuziCMS v2.0.6. There is a CSRF vulnerability that can add an admin account, as demonstrated by a history.pushState call. Affected products include: Tuzicms.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2023-0244 CRITICAL POC
9.8 Jan 12

A vulnerability classified as critical was found in TuziCMS 2.0.6. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-0243 CRITICAL POC
9.8 Jan 12

A vulnerability classified as critical has been found in TuziCMS 2.0.6. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-23882 CRITICAL POC
9.8 Mar 28

TuziCMS 2.0.6 is affected by SQL injection in \App\Manage\Controller\BannerController.class.php. Rated critical severity

CVE-2022-26301 CRITICAL POC
9.8 Mar 24

TuziCMS v2.0.6 was discovered to contain a SQL injection vulnerability via the component App\Manage\Controller\ZhuantiCo

CVE-2021-44347 CRITICAL POC
9.8 Dec 03

SQL Injection vulnerability exists in TuziCMS v2.0.6 in App\Manage\Controller\GuestbookController.class.php. Rated criti

CVE-2019-16644 CRITICAL POC
9.8 Sep 20

App\Home\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Zhuanti/group?id= s

CVE-2019-16642 CRITICAL POC
9.8 Sep 20

App\Mobile\Controller\ZhuantiController.class.php in TuziCMS 2.0.6 has SQL injection via the index.php/Mobile/Zhuanti/gr

CVE-2019-16659 HIGH POC
8.8 Sep 21

TuziCMS 2.0.6 has index.php/manage/link/do_add CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely expl

CVE-2019-16658 HIGH POC
8.8 Sep 21

TuziCMS 2.0.6 has index.php/manage/notice/do_add CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely ex

CVE-2019-16657 MEDIUM POC
6.1 Sep 21

TuziCMS 2.0.6 has XSS via the PATH_INFO to a group URI, as demonstrated by index.php/article/group/id/2/. Rated medium s

CVE-2021-44349 CRITICAL
9.8 Dec 03

SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameter in App\Manage\Controller\DownloadController.cl

CVE-2021-44348 CRITICAL
9.8 Dec 03

SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameer in App\Manage\Controller\AdvertController.class

Share

CVE-2018-10185 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy