Skip to main content

Ucms CVE-2018-20598

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2018-12-30 cve@mitre.org
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 30, 2018 - 21:29 nvd
HIGH 8.8

DescriptionNVD

UCMS 1.4.7 has ?do=user_addpost CSRF.

AnalysisAI

UCMS 1.4.7 has ?do=user_addpost CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Affected products include: Ucms Project Ucms.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

More in Ucms

View all
CVE-2022-38297 CRITICAL POC
9.8 Sep 12

UCMS v1.6.0 contains an authentication bypass vulnerability which is exploited via cookie poisoning. Rated critical seve

CVE-2022-35426 CRITICAL POC
9.8 Aug 10

UCMS 1.6 is vulnerable to arbitrary file upload via ucms/sadmin/file PHP file. Rated critical severity (CVSS 9.8), this

CVE-2020-25537 CRITICAL POC
9.8 Nov 30

File upload vulnerability exists in UCMS 1.5.0, and the attacker can take advantage of this vulnerability to obtain serv

CVE-2020-25483 CRITICAL POC
9.8 Oct 23

An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an atta

CVE-2018-17036 CRITICAL POC
9.8 Sep 14

An issue was discovered in UCMS 1.4.6 and 1.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploi

CVE-2018-17035 CRITICAL POC
9.8 Sep 14

UCMS 1.4.6 has SQL injection during installation via the install/index.php mysql_dbname parameter. Rated critical severi

CVE-2022-42234 HIGH POC
8.8 Oct 14

There is a file inclusion vulnerability in the template management module in UCMS 1.6. Rated high severity (CVSS 8.8), t

CVE-2022-28440 HIGH POC
8.8 Apr 21

An arbitrary file upload vulnerability in UCMS v1.6 allows attackers to execute arbitrary code via a crafted PHP file. R

CVE-2019-12251 HIGH POC
8.8 May 21

sadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index.php?do=sadmin_ceditpost cvalue parameter. Rated hi

CVE-2018-20599 HIGH POC
8.8 Dec 30

UCMS 1.4.7 allows remote attackers to execute arbitrary PHP code by entering this code during an index.php sadmin_fileed

CVE-2018-19437 HIGH POC
8.8 Nov 22

UCMS 1.4.7 allows remote authenticated users to change the administrator password because $_COOKIE['admin_'.cookiehash]

CVE-2018-17037 HIGH POC
8.8 Sep 14

user/editpost.php in UCMS 1.4.6 mishandles levels, which allows escalation from the normal user level of 1 to the superu

Share

CVE-2018-20598 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy