CVE-2018-9108

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in QuickAppsCMS version 2.0.0-beta2, specifically in the /admin/user/manage/add endpoint. The absence of CSRF tokens allows an attacker to craft a malicious HTML form that, when submitted by an authenticated administrator, creates a new user account with admin privileges [1][2].

Exploitation

The attacker hosts a page containing a hidden form that submits a POST request to the vulnerable endpoint with parameters for a new admin account (e.g., username "test", password "testtest"). The attacker then tricks a logged-in administrator into visiting the page, causing the browser to send the request with the victim's session cookies. No additional authentication or interaction is required beyond the initial visit [2].

Impact

Upon successful exploitation, the attacker gains a fully privileged admin account within the QuickAppsCMS instance. This leads to complete compromise of the CMS, including the ability to modify content, access sensitive data, and execute further attacks [1][2].

Mitigation

As of the publication date (2018-03-28), no patch has been released for QuickAppsCMS 2.0.0-beta2. Developers should implement CSRF protection (e.g., tokens) on all state-changing endpoints. Users are advised to upgrade to a stable version when available or apply manual CSRF mitigations [1][2].