CVE-2016-20054

Vulnerability

Overview

CVE-2016-20054 is a cross-site request forgery (CSRF) vulnerability present in Nodcms, a PHP-based CMS built on CodeIgniter. The application fails to implement any anti-CSRF tokens or validation checks on its administrative form submissions. This allows an attacker to craft malicious HTML forms that, when submitted by an authenticated administrator, will perform unintended actions on the target Nodcms installation [1].

Attack

Vector and Exploitation

The vulnerable endpoints are admin/user_manipulate and admin/settings/generall. Exploitation requires the attacker to trick a currently logged-in administrator into visiting a page containing a crafted form. The proof-of-concept (PoC) code demonstrates two distinct attacks: one that creates a new administrative user with attacker-controlled credentials, and another that modifies general settings—for example, injecting a cross-site scripting payload into the company name field [3]. The attacker has no direct interaction with the server; the request originates from the administrator's browser, carrying the victim's session cookie.

Impact

If successfully exploited, an attacker can gain persistent administrative access to the Nodcms instance by creating a new user account. The second PoC shows that the lack of CSRF protection can also be chained with stored XSS by altering site-wide configuration fields, potentially leading to further compromise of the admin interface and other users [3].

Mitigation

Status

The vendor has not released an official patch for this vulnerability. The NVD entry does not list a fixed version [1]. Administrators should implement custom CSRF protections, such as integrating anti-CSRF tokens into all sensitive forms, and consider using same-site cookie attributes or additional authentication confirmations for critical administrative actions. As of 2024, Nodcms remains available on GitHub, but no security advisory addressing this issue has been published [2].