CVE-2020-23960 — Cross-Site Request Forgery in Fork CMS

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 57.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fork-cms Fork CMS Forkcms

Timeline

PublishedJan 11

Latest updateMay 6

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to (1) approve the mass of the user's comments, (2) restoring a deleted user, (3) installing or running modules, (4) resetting the analytics, (5) pinging the mailmotor api, (6) uploading things to the media library, (7) exporting locale.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶Packagistforkcms/forkcms< 5.8.3

▶NVDfork-cms/fork_cms< 5.8.3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Cross-Site Request Forgery in ForkCMS↗2021-05-06

▶

GHSA

Cross-Site Request Forgery in ForkCMS↗2021-05-06

▶