VYPR
← All advisories
High severityOSV Advisory· Published Apr 12, 2019· Updated Aug 5, 2024

CVE-2017-18366

CVE-2017-18366

Description

Subrion CMS 4.1.5 has CSRF in blog/delete/.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Subrion CMS 4.1.5 has a CSRF vulnerability in blog/delete/ allowing attackers to delete blog posts without user consent.

Vulnerability

Subrion CMS 4.1.5 contains a Cross-Site Request Forgery (CSRF) vulnerability in the blog/delete/ endpoint [1]. The root cause is the absence of CSRF protection mechanisms, such as anti-CSRF tokens, in the delete action [4]. This allows an attacker to perform unauthorized actions on behalf of an authenticated user.

Exploitation

An attacker can craft a malicious HTML page containing a form that submits a POST request to http://target/blog/delete/<post_id>/ [4]. If a logged-in user visits this page and submits the form (e.g., by clicking a button), the targeted blog post is deleted without the user's knowledge or consent. The attack requires no special privileges beyond being logged into Subrion CMS.

Impact

A successful CSRF attack can delete any blog post of the victim user. If the victim is an administrator, the attacker could potentially delete critical content, leading to data loss and compromise of the entire blog [4].

Mitigation

The vulnerability was addressed in a commit [3] that added authentication and ownership checks: the delete action now verifies that the user is logged in and owns the post before deletion. Users are strongly advised to update to the latest version of Subrion CMS [2].

References
  1. NVD - CVE-2017-18366
  2. GitHub - intelliants/subrion: Subrion CMS - open source php content management system.
  3. #477 · intelliants/subrion@8c08d7b
  4. Critical : Remove Blog Post using CSRF attack

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
intelliants/subrionPackagist
< 4.2.14.2.1

Affected products

2

Patches

1
8c08d7b92a4b

#477

https://github.com/intelliants/subrionJanur JangaraevJul 3, 2017via ghsa
commit
2 files changed · +13 6
  • modules/blog/index.php+10 3 modified
    @@ -89,8 +89,7 @@
                     $messages[] = iaLanguage::get('title_is_empty');
                 }
 
-                $entry['body'] = iaUtil::safeHTML($_POST['body']);
-                utf8_is_valid($entry['body']) || $entry['body'] = utf8_bad_replace($entry['body']);
+                $entry['body'] = iaUtil::safeHTML(utf8_bad_replace($_POST['body']));
 
                 if (empty($entry['body'])) {
                     $messages[] = iaLanguage::getf('field_is_empty', ['field' => iaLanguage::get('body')]);
@@ -151,13 +150,21 @@
                 return iaView::errorPage(iaView::ERROR_NOT_FOUND);
             }
 
+            if (!iaUsers::hasIdentity()) {
+                return iaView::errorPage(iaView::ERROR_UNAUTHORIZED);
+            }
+
             $id = (int)$iaCore->requestPath[0];
-            $entry = $iaDb->row(iaDb::ALL_COLUMNS_SELECTION, iaDb::convertIds($id));
+            $entry = $iaBlog->getById($id);
 
             if (!$entry) {
                 return iaView::errorPage(iaView::ERROR_NOT_FOUND);
             }
 
+            if ($entry['member_id'] != iaUsers::getIdentity()->id) {
+                return iaView::errorPage(iaView::ERROR_FORBIDDEN);
+            }
+
             $result = $iaBlog->delete($id);
 
             $iaView->setMessages(iaLanguage::get($result ? 'deleted' : 'db_error'), $result ? iaView::SUCCESS : iaView::ERROR);
  • modules/blog/install.xml+3 3 modified
    @@ -31,9 +31,9 @@
 		<object meta_object="admin_page" id="blog" action="delete" access="1">Delete blog entry</object>
 
 		<object id="blog" access="1">View blog entries</object>
-		<object id="blog" action="add" access="0">Add blog entry</object>
-		<object id="blog" action="edit" access="0">Edit blog entry</object>
-		<object id="blog" action="delete" access="0">Delete blog entry</object>
+		<object id="blog" action="add" access="1">Add blog entry</object>
+		<object id="blog" action="edit" access="1">Edit blog entry</object>
+		<object id="blog" action="delete" access="1">Delete blog entry</object>
 	</permissions>
 
 	<phrases>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.