CVE-2019-20390

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in Subrion CMS version 4.2.1. The application fails to validate a CSRF token for GET requests, specifically in the panel/uploads/read.json endpoint. An attacker can craft a URL such as panel/uploads/read.json?cmd=rm that omits the token, and if an authenticated user visits this URL, the server executes the file removal command without the user's knowledge [1].

Exploitation

To exploit this vulnerability, the attacker must lure an authenticated Subrion CMS user into clicking a malicious link or visiting a crafted web page. The attack does not require any special privileges beyond the victim being logged in. The crafted GET request directly triggers the removal of files on the server, as the CSRF token is not checked for this type of request [1].

Impact

Successful exploitation allows a remote attacker to delete files on the server, potentially leading to data loss, denial of service, or further compromise of the CMS. The attack is executed without the victim's awareness, making it a serious security risk [1].

Mitigation

As of the publication date, no official patch or workaround has been released for this vulnerability. Users are advised to upgrade to a patched version if available, or implement additional CSRF protections such as custom token validation for GET requests.