CVE-2018-14520

Vulnerability

Overview

CVE-2018-14520 describes a Cross-Site Request Forgery (CSRF) vulnerability in Kirby CMS version 2.5.12. The application fails to implement anti-CSRF tokens, allowing an attacker to craft malicious HTTP requests that, when triggered by an authenticated user, perform unintended actions such as adding or deleting web pages [1][2]. The root cause is the lack of CSRF protection on sensitive panel operations.

Exploitation

An attacker can host a crafted HTML page containing a hidden form that submits a request to the Kirby panel's page management endpoints. By tricking an authenticated administrator into visiting this page (e.g., via a phishing link), the form auto-submits using JavaScript, executing the action with the victim's session credentials [2]. The PoC demonstrates a delete request targeting a specific page, but the same technique can be used to add pages.

Impact

Successful exploitation allows an attacker to perform administrative actions on the CMS without the victim's knowledge. This can lead to unauthorized content modification, data loss, or privilege escalation if combined with other vulnerabilities [2]. The severity is considered high due to the potential for complete compromise of the site's content.

Mitigation

The vendor has not released a patch for this specific version; however, the recommended fix is to implement anti-CSRF tokens in all panel forms [2]. Users are advised to upgrade to a newer version of Kirby that includes CSRF protection, or apply a workaround such as using a web application firewall to block suspicious requests. As of the publication date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.