VYPR
← All advisories
Medium severity5.3NVD Advisory· Published May 16, 2026

CVE-2020-37241

CVE-2020-37241

Description

bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts with arbitrary credentials without requiring explicit user consent.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

bloofoxCMS 0.5.2.1 lacks CSRF protection on the admin user creation endpoint, allowing attackers to create arbitrary admin accounts by tricking logged-in users into visiting a malicious page.

### Vulnerability bloofoxCMS 0.5.2.1 suffers from a cross-site request forgery (CSRF) vulnerability in the admin user creation functionality [1][2]. The application fails to perform any validity checks on HTTP requests to the user-facing endpoints, such as generating unique tokens. As a result, an attacker can craft a hidden form that submits a POST request to admin/index.php?mode=user&action=new&submit=send with arbitrary username, password, and role parameters without any session-specific nonce or origin verification [2].

Exploitation

An attacker can host a malicious HTML page containing an auto-submitting form that targets the vulnerable admin endpoint. When a logged-in administrator visits this page (e.g., via a phishing link or embedded in another site), the form silently transmits the forged request using the victim's active session [2]. No explicit user interaction is required beyond navigation to the crafted page; the PoC provided by security researchers uses window.onload to trigger the submission automatically, requiring only that the administrator is authenticated [2]. The attack requires no additional privileges or user interface actions.

Impact

Successful exploitation allows an attacker to create a new administrative account with arbitrary credentials (username, password, and admin role) [2]. This effectively grants the attacker full control over the CMS, enabling them to modify content, change configuration, or escalate further attacks against the application or its users. The CSRF vulnerability is present in versions up to and including 0.5.2.1 [4].

### Mitigation bloofoxCMS 0.5.2.1 is the mentioned fix version. The reference suggests it has been addressed in this release, but no descriptive changelog or explicit CSRF fix is confirmed in the notes [1]. The vendor homepage lists 0.5.2.1 as the latest version but does not detail the vulnerability [3]. Users should upgrade to 0.5.2.1 if they are running an earlier version, apply web application firewall rules to validate origin headers, or enforce a CSRF token mechanism in custom code until an official patch is confirmed.

References
  1. Release Release 0.5.2.1 · alexlang24/bloofoxCMS
  2. OffSec’s Exploit Database Archive
  3. bloofoxCMS - Home
  4. bloofoxCMS 0.5.2.1 Cross-Site Request Forgery via user add

AI Insight generated by deepseek/deepseek-v4-flash-20260423 on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.