CVE-2020-13155

CVE-2020-13155 describes a Cross-Site Request Forgery (CSRF) vulnerability in NukeViet CMS version 4.4. The flaw exists in the clearsystem.php component, which is accessible via the URI admin/index.php?nv=webtools&op=clearsystem. An attacker can craft a malicious request that, when triggered by an authenticated administrator, performs unintended actions such as HTML injection through the deltype parameter [1][2].

Exploitation requires the attacker to trick a logged-in admin into visiting a crafted page or link. No authentication is needed beyond the victim's existing session. The CSRF attack can modify the deltype parameter to inject arbitrary HTML, potentially leading to further attacks like cross-site scripting (XSS) if the injected content is rendered. Additionally, exploit code published publicly demonstrates how an attacker can change the admin password, create new admin users, or delete sensitive log files without the victim's knowledge [1].

The impact of successful exploitation is severe. An attacker can gain full administrative control of the NukeViet instance by changing the password of the primary admin account, or create new admin accounts for persistent access. They can also delete log files, covering their tracks and hindering forensic analysis. The HTML injection could be leveraged to execute scripts in the context of the admin interface, further compromising the site [1][2].

As of the publication date, no official patch or security release addressing this specific CSRF vulnerability has been identified. Users of NukeViet 4.4 are advised to implement CSRF protections, such as requiring a unique token for sensitive actions, or to upgrade to a later version if available. The vendor's website and GitHub repository indicate ongoing development, but no dedicated advisory for this CVE was found [3][4].