CVE-2020-13157

Vulnerability

Overview NukeViet 4.4 suffers from a Cross-Site Request Forgery (CSRF) vulnerability in the user edit functionality. The flaw resides in modules\users\admin\edit.php, where the password change request does not require the old password, nor does it validate the request origin. This allows an attacker to craft a malicious page that, when visited by an authenticated admin, submits a form to change the admin user's password to a value chosen by the attacker [1].

Exploitation

Details An attacker can host a crafted HTML form that automatically submits a POST request to admin/index.php?language=en&nv=users&op=edit&userid=1. The form includes all necessary fields such as username, email, and new password (e.g., password1 and password2), and is submitted without any anti-CSRF token. The attacker only needs to trick an authenticated admin into visiting the malicious page; no additional authentication or knowledge of the current password is required [1].

Impact

Successful exploitation allows the attacker to change the password of any user, escalate privileges (e.g., create new admin accounts), and alter profile details. This can lead to complete compromise of the NukeViet CMS installation, including potential deletion of sensitive files and logs [1].

Mitigation

Status As of the publication date (2020-06-23), no official patch had been released. Users are advised to implement CSRF protections such as token validation or referer checking, or consider upgrading to a later version if available. The NVD entry confirms the vulnerability's severity with a CVSS score (not provided here, but typically high) [2].