CVE-2018-14014

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in waimai Super Cms version 20150505. The admin.php?m=Member&a=adminaddsave endpoint lacks any anti-CSRF token or origin validation, allowing an attacker to forge requests that create new administrator accounts [1].

Exploitation

An attacker must trick an authenticated administrator into visiting a malicious HTML page while logged into the CMS. The page contains a form that submits a POST request to admin.php?m=Member&a=adminaddsave with attacker-controlled values for username, password, and repassword. The form can be auto-submitted via JavaScript or require a single click. The victim's browser automatically includes the session cookie, authenticating the request [1].

Impact

Successful exploitation allows the attacker to create a new administrator account with arbitrary credentials. This grants full control over the CMS, including the ability to modify content, access user data, and perform further administrative actions.

Mitigation

No official fix has been released for waimai Super Cms 20150505 as of the publication date. The vendor should implement CSRF tokens (e.g., a nonce) for all state-changing requests and validate the Origin or Referer header. Users should consider upgrading to a patched version if available, or restrict access to the admin panel with network-level controls [1].