Bolt CMS lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview.
This has been fixed in Bolt 3.7.1
Related issue: https://github.com/bolt/bolt/pull/7853
packetstormsecurity.com/files/158299/Bolt-CMS-3.7.0-XSS-CSRF-Shell-Upload.html
seclists.org/fulldisclosure/2020/Jul/4
github.com/bolt/bolt
github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f
github.com/bolt/bolt/pull/7853
github.com/bolt/bolt/security/advisories/GHSA-2q66-6cc3-6xm8
nvd.nist.gov/vuln/detail/CVE-2020-4040