Skip to main content

Blackcat Cms CVE-2020-25453

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2020-09-15 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 15, 2020 - 22:15 nvd
HIGH 8.8

DescriptionNVD

An issue was discovered in BlackCat CMS before 1.4. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution.

AnalysisAI

An issue was discovered in BlackCat CMS before 1.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. An issue was discovered in BlackCat CMS before 1.4. There is a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution. Affected products include: Blackcat-Cms Blackcat Cms. Version information: before 1.4..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2017-13670 MEDIUM POC
6.5 Aug 31

In BlackCat CMS 1.2, remote authenticated users can upload any file via the media upload function in backend/media/ajax_

CVE-2023-44043 MEDIUM POC
6.1 Sep 27

A reflected cross-site scripting (XSS) vulnerability in /install/index.php of Black Cat CMS 1.4.1 allows attackers to ex

CVE-2017-9609 MEDIUM POC
5.4 Jul 17

Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows remote authenticated users to inject arbitrary web s

CVE-2023-44042 MEDIUM POC
5.4 Sep 27

A stored cross-site scripting (XSS) vulnerability in /settings/index.php of Black Cat CMS 1.4.1 allows attackers to exec

CVE-2018-16635 MEDIUM POC
5.4 Dec 10

Blackcat CMS 1.3.2 allows XSS via the willkommen.php?lang=DE page title at backend/pages/modify.php. Rated medium severi

CVE-2017-14050 HIGH
8.8 Aug 31

In BlackCat CMS 1.2, backend/addons/install.php allows remote authenticated users to execute arbitrary PHP code via a ZI

CVE-2017-14399 HIGH
8.8 Sep 12

In BlackCat CMS 1.2.2, unrestricted file upload is possible in backend\media\ajax_rename.php via the extension parameter

CVE-2015-5521 MEDIUM POC
4.8 Jul 14

Cross-site scripting (XSS) vulnerability in BlackCat CMS 1.1.2 allows remote attackers to inject arbitrary web script or

CVE-2017-14048 HIGH
8.8 Aug 31

BlackCat CMS 1.2 allows remote authenticated users to inject arbitrary PHP code into info.php via a crafted new_modulena

CVE-2021-27237 MEDIUM POC
4.8 Feb 16

The admin panel in BlackCat CMS 1.3.6 allows stored XSS (by an admin) via the Display Name field to backend/preferences/

CVE-2018-10821 MEDIUM POC
4.8 Jun 14

Cross-site scripting (XSS) vulnerability in backend/pages/modify.php in BlackCatCMS 1.3 allows remote authenticated user

CVE-2014-5259 MEDIUM POC
4.3 Sep 12

Cross-site scripting (XSS) vulnerability in cattranslate.php in the CatTranslate JQuery plugin in BlackCat CMS 1.0.3 and

Share

CVE-2020-25453 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy