CVE-2020-13156

Vulnerability

Overview CVE-2020-13156 is a Cross-Site Request Forgery (CSRF) vulnerability in NukeViet CMS version 4.4.00. The issue exists in the modules/users/admin/add_user.php script, which fails to implement any anti-CSRF token or origin validation. As a result, an attacker can craft a malicious HTML form that, when submitted by an authenticated administrator, creates a new user account with administrative privileges [1].

Attack

Vector and Prerequisites Exploitation requires no special privileges beyond tricking an authenticated admin into visiting a malicious page. The attacker hosts a form that auto-submits to the vulnerable endpoint admin/index.php?nv=users&op=user_add using a POST request. Because the browser automatically includes the victim's session cookies, the request is processed as if coming from the legitimate admin [1]. The exploit can be delivered via phishing, drive-by download, or by injecting the payload into another trusted site.

Impact

Successful exploitation grants the attacker a fully privileged admin account on the NukeViet installation. With admin access, the attacker can alter site content, modify user profiles, delete sensitive data, or further compromise the server. The vendor’s official website and GitHub repository indicate that NukeViet 4.4 is a widely used content management system, making this vulnerability particularly impactful for sites running the affected version [3][4].

Remediation

NukeViet developers should implement CSRF tokens or other anti-forgery measures (e.g., SameSite cookies, origin header checks) in user administrative operations. As of the publication date (June 2020), no patch has been released for this specific version, and administrators are advised to upgrade to a newer, patched release if available, or apply manual input validation and CSRF protections as a workaround.