CVE-2018-12582

Vulnerability

AKCMS 6.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the user account creation functionality. The endpoint /index.php?file=account&action=manageaccounts&job=newaccount does not enforce any anti-CSRF tokens, allowing an attacker to craft a malicious request that adds a new admin user [1].

Exploitation

To exploit this vulnerability, an attacker must trick an authenticated admin into visiting a malicious webpage. The page can include a hidden form that auto-submits a POST request to the vulnerable endpoint with parameters for a new admin account (e.g., username and password). No additional authentication, network position, or user interaction beyond the initial visit is required [1].

Impact

Successful exploitation results in the creation of a new admin account under the attacker's control. The attacker can then log in with full administrative privileges, leading to complete compromise of the AKCMS installation, including data access, modification, and potential further attacks [1].

Mitigation

As of the publication date, no official patch or workaround has been released for AKCMS 6.1. The recommended mitigation is to implement CSRF tokens or other anti-CSRF measures, such as same-site cookies or origin header validation, on the vulnerable endpoint. Users should monitor for updates from the vendor [1].