CVE-2018-15682
Description
XBTIT lacks CSRF protection, allowing an attacker to forge authenticated actions such as sending private messages by tricking a user into submitting a malicious form.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XBTIT lacks CSRF protection, allowing an attacker to forge authenticated actions such as sending private messages by tricking a user into submitting a malicious form.
Vulnerability
CVE-2018-15682 describes a cross-site request forgery (CSRF) vulnerability in BTITeam XBTIT. The application fails to implement any anti-CSRF tokens or origin validation, making it possible for an attacker to craft a web page that automatically submits a form on behalf of an authenticated victim. This allows automation of sensitive actions, such as sending private messages, without the victim's consent. The issue affects all versions of XBTIT prior to the disclosure date (September 2018) [1].
Exploitation
An attacker does not require any special network position beyond being able to host a malicious web page or inject a payload into a page visited by a target. The victim must be authenticated to the XBTIT application. The attacker lures the victim (e.g., via a phishing link) to a page that contains an automatically submitted form targeting a vulnerable XBTIT endpoint. User interaction is limited to visiting the attacker-controlled page; the form submission occurs without the victim's knowledge [1].
Impact
Successful exploitation allows the attacker to perform actions on the XBTIT platform as the victim user. This includes sending private messages, which could be used for social engineering, phishing, or spreading malicious content. The impact is a loss of integrity and confidentiality of user actions, as the attacker can impersonate the victim for specific functions. No elevation of privilege is achieved beyond what the victim's account permits [1].
Mitigation
As of the publication date (September 2018), no official patch or fixed version was released by BTITeam. The vendor did not respond to disclosure attempts. Users are advised to implement CSRF protection manually by adding tokens to sensitive forms and validating the origin header. Since XBTIT may be considered deprecated or unsupported, migration to an actively maintained alternative is recommended. This vulnerability is not listed on the CISA KEV as of the knowledge cutoff [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF protection on the private message sending action allows an attacker to forge requests on behalf of an authenticated user."
Attack vector
An attacker lures an authenticated XBTIT user to a malicious web page that contains an auto-submitting HTML form [ref_id=1]. The form targets the vulnerable endpoint at /index.php?page=usercp&do=pm&action=post&uid=UID&what=new, where UID is the target recipient's user ID [ref_id=1]. The attacker can harvest the victim's user ID by enumerating the id parameter from the user details page at /index.php?page=userdetails&id=UID [ref_id=1]. Because the application performs no CSRF token validation, the form submission executes the private message send action using the victim's active session without their consent [ref_id=1].
Affected code
The vulnerable endpoint is /index.php?page=usercp&do=pm&action=post&uid=UID&what=new, which handles private message sending [ref_id=1]. The advisory does not identify specific source files or functions, but the form parameters (receiver, subject, fontchange, msg) indicate the message composition logic in the user control panel lacks CSRF validation [ref_id=1].
What the fix does
The advisory does not provide a patch or code-level fix for this specific CSRF issue [ref_id=1]. The solution section of the write-up addresses a different vulnerability (CVE-2018-15681) regarding cookie type configuration and does not apply to the CSRF flaw [ref_id=1]. No remediation guidance is given for the private message CSRF vulnerability described under CVE-2018-15682 [ref_id=1].
Preconditions
- authThe victim must be authenticated to XBTIT with an active session.
- inputThe attacker must know the target recipient's user ID (UID), obtainable from the user details page.
- networkThe attacker must host a web page that the victim visits while authenticated.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- rastating.github.io/xbtit-multiple-vulnerabilities/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.