CVE-2018-17366

Vulnerability

MCMS version 4.6.5 is vulnerable to Cross-Site Request Forgery (CSRF) in the administrator account creation endpoint. The flaw resides in /ms/basic/manager/save.do, which does not validate the origin or include an anti-CSRF token. As a result, an attacker can force a logged-in administrator to unknowingly submit a request that creates a new administrative account. The affected version is clearly stated in the CVE description [1][2].

Exploitation

To exploit this vulnerability, an attacker must trick an authenticated administrator into visiting a malicious web page or clicking a crafted link while their session is active. No special network position is required beyond the ability to deliver the crafted request (e.g., via phishing email or a compromised site). The attacker crafts a request to ms/basic/manager/save.do with parameters that define a new administrator account (e.g., username, password, role). When the victim's browser sends the request, it includes the administrator's session cookie, and the server processes it as legitimate [1][2].

Impact

A successful CSRF attack results in the unauthorized creation of an administrator account. The attacker then gains full administrative privileges over the MCMS instance, allowing them to manage content, users, and system settings. This leads to a complete compromise of confidentiality, integrity, and availability of the affected application [1][2].

Mitigation

As of the publication date (2018-09-23), no official patch or fixed version has been released. The project repository does not indicate a newer version that addresses this issue [1][2]. The recommended mitigation is to implement CSRF protection, such as synchronizer tokens or same-site cookies, on sensitive actions like administrator creation. Additionally, administrators should avoid clicking suspicious links while logged into the application. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.