CVE-2019-9603

Vulnerability

MiniCMS version 1.10 contains a cross-site request forgery (CSRF) vulnerability in the mc-admin/post.php endpoint. The script accepts a delete parameter via GET requests without requiring a CSRF token or any confirmation. The vulnerable URL is mc-admin/post.php?state=publish&delete=... [1]. An authenticated administrator is required for the attack to succeed, as the request must include their session.

Exploitation

An attacker can craft a malicious HTML page containing an ` or similar element that makes a GET request to the vulnerable URL with the delete parameter set to the desired article identifier. For example: ` [1]. The attacker then lures a logged-in administrator into visiting this page, which triggers the request in the context of the admin's session, causing the article to be deleted without the admin's knowledge or consent.

Impact

Successful exploitation allows an attacker to delete any article in the MiniCMS installation. This leads to denial of service and loss of content. The attack requires no special privileges beyond the administrator being logged in, and it does not require interaction from the victim beyond visiting the malicious page. The CSRF attack is performed with the same privileges as the administrator.

Mitigation

As of the publication date (2019-03-06), no official patch or fixed version has been released. The vendor did not provide a workaround in the reference [1]. Users are advised to implement CSRF protections such as anti-CSRF tokens, same-origin checks, or requiring POST with a nonce for deletion operations. If the software is no longer maintained, consider migrating to an alternative CMS.