CVE-2018-17102
Description
QuickAppsCMS through 2.0.0-beta2 contains a CSRF vulnerability that allows an attacker to change the administrator password remotely.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
QuickAppsCMS through 2.0.0-beta2 contains a CSRF vulnerability that allows an attacker to change the administrator password remotely.
Vulnerability
QuickAppsCMS (QACMS) through version 2.0.0-beta2 is affected by a cross-site request forgery (CSRF) vulnerability in the user/me URI [1]. This endpoint lacks proper CSRF tokens, allowing an attacker to craft a malicious HTML form that, when submitted by an authenticated administrator, modifies the administrator's password without their consent [4]. The issue resides in user profile update functionality and does not require any special configuration beyond having the administrator logged into the application.
Exploitation
An attacker must first induce an authenticated administrator of QuickAppsCMS to visit a malicious webpage while the administrator is logged into the CMS [4]. The attacker-controlled page contains an HTML form that automatically submits a PUT request to http:///en_US/user/me with new password values (e.g., password=123456 and password2=123456). Because the request is sent from the victim's browser, it includes the administrator's session cookie, and the server processes the password change without verifying the origin of the request [4]. No additional authentication or user interaction beyond the initial visit is required.
Impact
Successful exploitation allows the attacker to arbitrarily change the administrator's password [1][4]. This effectively grants the attacker full control over the administrative account, enabling further actions such as altering site content, accessing sensitive data, or creating other administrative users. The impact is high, as it results in a complete compromise of the administrator's privileges within the CMS.
Mitigation
As of the available references, no patched version has been released; the vulnerability exists up to and including version 2.0.0-beta2 [1][3]. The project appears to be in an alpha/unstable state [3]. Administrators should ensure proper CSRF protections are implemented, such as including anti-CSRF tokens in all state-changing requests. Until a fix is published, limiting access to the admin interface and using additional authentication layers (e.g., HTTP basic auth) may reduce risk. No KEV listing has been reported.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
quickapps/cmsPackagist | <= 2.0.0-beta2 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3p9v-xp6w-wcmcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-17102ghsaADVISORY
- github.com/quickapps/cms/issues/187ghsax_refsource_MISCWEB
- github.com/quickapps/cms/issues/199ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.