Skip to main content

Qool Cms EUVDEUVD-2013-7290

| CVE-2013-20005 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-15 VulnCheck
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 15, 2026 - 15:22 NVD
5.3 (MEDIUM) 6.9 (MEDIUM)
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 19:00 euvd
EUVD-2013-7290
Analysis Generated
Mar 15, 2026 - 19:00 vuln.today
CVE Published
Mar 15, 2026 - 18:34 nvd
MEDIUM 5.3

DescriptionCVE.org

Qool CMS 2.0 RC2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious web pages. Attackers can forge POST requests to the /admin/adduser endpoint with parameters like username, password, email, and level to create root-level user accounts without user consent.

AnalysisAI

Qool CMS 2.0 RC2 is vulnerable to cross-site request forgery (CSRF) that allows unauthenticated attackers to perform administrative actions on behalf of authenticated users. An attacker can craft malicious web pages that, when visited by a logged-in administrator, silently forge POST requests to the /admin/adduser endpoint to create root-level user accounts, resulting in unauthorized administrative access. The CVSS 5.3 score reflects moderate integrity impact with network attack vector and no privilege requirement, though the vulnerability requires user interaction (visiting a malicious page) to be exploited.

Technical ContextAI

The vulnerability stems from inadequate CSRF token validation in Qool CMS 2.0 RC2's administrative user creation functionality, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The /admin/adduser endpoint accepts POST requests containing username, password, email, and user level parameters without verifying a valid, per-session CSRF token or same-origin request headers. This allows an attacker to craft cross-origin POST requests via HTML forms or JavaScript that bypass the same-origin policy when a victim with active administrator credentials visits an attacker-controlled domain. The root cause is the absence of cryptographic CSRF protection mechanisms, which are fundamental to secure web application design. Qool CMS is a content management system targeted at small-to-medium deployments; the affected version 2.0 RC2 indicates this was a release candidate build, suggesting it may have had limited security review.

RemediationAI

Immediately upgrade Qool CMS to the latest available stable version; contact the Qool CMS vendor or consult their security advisory to confirm that current releases have addressed this CSRF vulnerability. If upgrading is not immediately feasible, implement the following mitigations: (1) enforce the use of cryptographic CSRF tokens (synchronizer tokens or double-submit cookies) on all state-changing administrative endpoints, particularly /admin/adduser; (2) add SameSite=Strict or SameSite=Lax cookie attributes to all session cookies to prevent cross-site request forgery; (3) implement Content-Security-Policy (CSP) headers to restrict form submission origins; (4) require re-authentication for sensitive administrative actions such as user creation; (5) restrict administrative panel access to a whitelist of trusted IP addresses or require VPN access. Additionally, audit existing user accounts for unauthorized root-level accounts created during any period when the system was exposed, and review administrative action logs for suspicious account creation events.

Share

EUVD-2013-7290 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy