CVE-2018-16387
Description
An issue was discovered in Elefant CMS before 2.0.5. There is a CSRF vulnerability that can add an account via user/add.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Elefant CMS before 2.0.5 has a CSRF vulnerability that allows an attacker to add an admin account by tricking a logged-in administrator.
Vulnerability
Elefant CMS versions prior to 2.0.5 contain a Cross-Site Request Forgery (CSRF) vulnerability in the /user/add endpoint. This allows an attacker to create a new administrator account without proper CSRF token validation [1][2].
Exploitation
An attacker can craft a malicious HTML page that, when visited by an authenticated administrator, automatically submits a form to /user/add with the attacker's desired account details (e.g., username, password, and admin role). The PoC shows a form with hidden inputs for all required fields, including a password and admin type [2]. No additional authentication or privileges are required beyond the victim's active session.
Impact
Successful exploitation allows the attacker to add a new administrator account, giving them full control over the CMS instance. This can lead to further compromise, including data theft, defacement, or server takeover [1][2].
Mitigation
The vulnerability is fixed in Elefant CMS version 2.0.5 [1]. Users should upgrade to this version or later. No workarounds have been provided for earlier versions.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
elefant/cmsPackagist | < 2.0.5 | 2.0.5 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-79m2-h67v-35q7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16387ghsaADVISORY
- github.com/jbroadway/elefant/issues/285ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.