CVE-2020-18326
Description
Cross Site Request Forgery (CSRF) vulnerability exists in Intelliants Subrion CMS v4.2.1 via the Members administrator function, which could let a remote unauthenticated malicious user send an authorised request to victim and successfully create an arbitrary administrator user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Subrion CMS v4.2.1 is vulnerable to CSRF in the Members admin function, allowing an unauthenticated attacker to create an arbitrary admin user.
Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in Intelliants Subrion CMS version 4.2.1. The flaw is located in the Members administrator function, which does not implement CSRF tokens or other anti-forgery protections. This allows an attacker to craft a malicious request that, when executed by an authenticated administrator, creates a new administrator user with arbitrary credentials [1][3].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by crafting a malicious HTML page (or other web-based payload) that automatically submits a forged request to the vulnerable Members endpoint. The attacker must then trick an authenticated administrator into visiting the crafted page, for example through a phishing link or by hosting the page on an attacker-controlled site [3]. The victim's browser will send the forged request along with their existing session cookie, causing Subrion CMS to process the action as if initiated by the administrator. The proof-of-concept demonstrates that a new administrator user named admincsrf is created upon exploitation [3].
Impact
Successful exploitation allows the attacker to create an arbitrary administrator account on the Subrion CMS instance. Once the rogue administrator account exists, the attacker can gain full control over the CMS, including the ability to modify content, access sensitive information, or compromise the underlying server [1][3]. This represents a complete compromise of the application's confidentiality, integrity, and availability.
Mitigation
As of the available references, no patched version of Subrion CMS has been released for this vulnerability. The reference provided by the exploit author suggests following OWASP CSRF prevention guidelines, such as implementing anti-CSRF tokens, using same-site cookies, and validating the origin/referrer header [3]. Users are advised to apply these generic CSRF protections manually or upgrade to a future version of Subrion CMS that addresses this issue. The CVE has a public proof-of-concept and was disclosed in February 2022 [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
intelliants/subrionPackagist | <= 4.2.1 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-9cc3-5w85-pxvxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-18326ghsaADVISORY
- intelliants.commitrex_refsource_MISC
- subrion.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.