Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-1297Cross-Site Request Forgery in CMS

CWE-352Cross-Site Request Forgery4 documents4 sources
Severity
6.8MEDIUMNVD
EPSS
0.4%
top 40.21%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Contao CMS
Timeline
PublishedMar 19
Latest updateMay 14

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in main.php in Contao (formerly TYPOlight) 2.11.0 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) delete users via a delete action in the user module, (2) delete news via a delete action in the news module, or (3) delete newsletters via a delete action in the newsletters module.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

NVDcontao/contao_cms2.11.0+92

🔴Vulnerability Details

2
GHSA
GHSA-c982-gvw7-5x8v: Multiple cross-site request forgery (CSRF) vulnerabilities in main2022-05-14
CVEList
CVE-2012-1297: Multiple cross-site request forgery (CSRF) vulnerabilities in main2012-03-19

💥Exploits & PoCs

1
Exploit-DB
ContaoCMS (aka TYPOlight) 2.11 - Cross-Site Request Forgery (Delete Admin / Delete Article)2012-02-26
CVE-2012-1297 — Cross-Site Request Forgery in CMS | cvebase