CVE-2020-37241
published 2026-05-16CVE-2020-37241: bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.15%
4.3th percentile
bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts with arbitrary credentials without requiring explicit user consent.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bloofox | bloofoxcms | 0.5.1.0 – 0.5.2.1 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gx8m-hc2r-m9f9: bloofoxCMS 0
ghsa_unreviewed·2026-05-16
CVE-2020-37241 [MEDIUM] CWE-352 GHSA-gx8m-hc2r-m9f9: bloofoxCMS 0
bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts with arbitrary credentials without requiring explicit user consent.
VulDB
bloofoxCMS up to 0.5.2.1 Admin User Creation Endpoint cross-site request forgery (Exploit 49507 / EUVD-2020-31233)
vuldb·2026-05-16·CVSS 6.9
CVE-2020-37241 [MEDIUM] bloofoxCMS up to 0.5.2.1 Admin User Creation Endpoint cross-site request forgery (Exploit 49507 / EUVD-2020-31233)
A vulnerability labeled as problematic has been found in bloofoxCMS up to 0.5.2.1. Affected is an unknown function of the component Admin User Creation Endpoint. The manipulation results in cross-site request forgery.
This vulnerability is cataloged as CVE-2020-37241. The attack may be launched remotely. Furthermore, there is an exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-16
Published