CVE-2018-15845
Description
Gleez CMS 1.2.0 contains a CSRF vulnerability that allows an attacker to add an administrator account.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gleez CMS 1.2.0 contains a CSRF vulnerability that allows an attacker to add an administrator account.
Vulnerability
Gleez CMS 1.2.0 is vulnerable to Cross-Site Request Forgery (CSRF) in the admin user addition functionality at /admin/users/add. The application fails to validate or include a unique anti-CSRF token, allowing an attacker to forge requests that create new administrator accounts. The issue is documented in [1] and [4].
Exploitation
An attacker must trick an authenticated administrator into visiting a malicious web page (e.g., via email or a crafted link) while the administrator is logged into Gleez CMS. The attacker's page submits a POST request to /admin/users/add with predefined parameters (including name, password, and role) to create a new administrator account. The PoC in [3] demonstrates a form that automatically submits with hardcoded token and action values.
Impact
Successful exploitation allows the attacker to create a new administrator account with full privileges. This leads to complete compromise of the Gleez CMS installation, including the ability to modify content, users, and settings [1][3].
Mitigation
As of the available references, no official patch has been released for this vulnerability. The Gleez CMS repository has been archived [2]. Users should consider migrating to an alternative CMS or implement strong CSRF protections such as validating tokens for all sensitive actions. No workaround is provided in the sources.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gleez/cmsPackagist | <= 1.2.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- www.exploit-db.com/exploits/45258/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-g644-x4hj-cmhqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-15845ghsaADVISORY
- github.com/gleez/cms/issues/800ghsax_refsource_MISCWEB
- www.exploit-db.com/exploits/45258ghsaWEB
News mentions
0No linked articles in our index yet.