Skip to main content

Phpmywind CVE-2020-19964

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2021-10-14 cve@mitre.org
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 14, 2021 - 15:15 nvd
MEDIUM 6.5

DescriptionNVD

A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication.

AnalysisAI

A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. A Cross Site Request Forgery (CSRF) vulnerability was discovered in PHPMyWind 5.6 which allows attackers to create a new administrator account without authentication. Affected products include: Phpmywind.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2021-39503 HIGH POC
7.2 Sep 07

PHPMyWind 5.6 is vulnerable to Remote Code Execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exp

CVE-2018-17134 HIGH POC
7.2 Sep 17

admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the cfg_author field in conjuncti

CVE-2018-17133 HIGH POC
7.2 Sep 17

admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the rewrite url setting. Rated hi

CVE-2018-17132 HIGH POC
7.2 Sep 17

admin/goods_update.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the attrvalue[] array parameter

CVE-2018-17131 HIGH POC
7.2 Sep 17

admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the varvalue field. Rated high se

CVE-2017-12984 MEDIUM POC
6.1 Aug 21

PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, admin/message.php, and admin/message_update.php. Rate

CVE-2019-16703 MEDIUM POC
6.1 Sep 23

admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely

CVE-2019-7661 MEDIUM POC
6.1 Mar 07

An issue was discovered in PHPMyWind 5.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable,

CVE-2019-7660 MEDIUM POC
6.1 Mar 07

An issue was discovered in PHPMyWind 5.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable,

CVE-2019-7402 MEDIUM POC
6.1 Feb 05

An issue was discovered in PHPMyWind 5.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable,

CVE-2018-17130 MEDIUM POC
5.4 Sep 17

PHPMyWind 5.5 has XSS in member.php via an HTTP Referer header,. Rated medium severity (CVSS 5.4), this vulnerability is

CVE-2019-7403 MEDIUM POC
4.9 Feb 05

An issue was discovered in PHPMyWind 5.5. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable,

Share

CVE-2020-19964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy