EUVD-2013-7290
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4Description
Qool CMS 2.0 RC2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious web pages. Attackers can forge POST requests to the /admin/adduser endpoint with parameters like username, password, email, and level to create root-level user accounts without user consent.
Analysis
Qool CMS 2.0 RC2 is vulnerable to cross-site request forgery (CSRF) that allows unauthenticated attackers to perform administrative actions on behalf of authenticated users. An attacker can craft malicious web pages that, when visited by a logged-in administrator, silently forge POST requests to the /admin/adduser endpoint to create root-level user accounts, resulting in unauthorized administrative access. The CVSS 5.3 score reflects moderate integrity impact with network attack vector and no privilege requirement, though the vulnerability requires user interaction (visiting a malicious page) to be exploited.
Technical Context
The vulnerability stems from inadequate CSRF token validation in Qool CMS 2.0 RC2's administrative user creation functionality, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The /admin/adduser endpoint accepts POST requests containing username, password, email, and user level parameters without verifying a valid, per-session CSRF token or same-origin request headers. This allows an attacker to craft cross-origin POST requests via HTML forms or JavaScript that bypass the same-origin policy when a victim with active administrator credentials visits an attacker-controlled domain. The root cause is the absence of cryptographic CSRF protection mechanisms, which are fundamental to secure web application design. Qool CMS is a content management system targeted at small-to-medium deployments; the affected version 2.0 RC2 indicates this was a release candidate build, suggesting it may have had limited security review.
Affected Products
Qool CMS version 2.0 RC2 is the specific affected version identified in this CVE. The vulnerability applies to the administrative interface of this release candidate build. No CPE string was provided in the available data, but the product can be identified as Qool CMS by version 2.0 RC2. Organizations should verify their exact Qool CMS deployment version against this release candidate identifier. Given the RC2 (release candidate 2) designation, it is unclear if this vulnerability persists in subsequent stable releases (such as version 2.0 final or later major versions), making version verification essential before applying mitigations.
Remediation
Immediately upgrade Qool CMS to the latest available stable version; contact the Qool CMS vendor or consult their security advisory to confirm that current releases have addressed this CSRF vulnerability. If upgrading is not immediately feasible, implement the following mitigations: (1) enforce the use of cryptographic CSRF tokens (synchronizer tokens or double-submit cookies) on all state-changing administrative endpoints, particularly /admin/adduser; (2) add SameSite=Strict or SameSite=Lax cookie attributes to all session cookies to prevent cross-site request forgery; (3) implement Content-Security-Policy (CSP) headers to restrict form submission origins; (4) require re-authentication for sensitive administrative actions such as user creation; (5) restrict administrative panel access to a whitelist of trusted IP addresses or require VPN access. Additionally, audit existing user accounts for unauthorized root-level accounts created during any period when the system was exposed, and review administrative action logs for suspicious account creation events.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today