CVE-2022-27340

Vulnerability

MCMS v5.2.7, a Java-based content management system, contains a Cross-Site Request Forgery (CSRF) vulnerability in the /role/saveOrUpdateRole.do endpoint. This endpoint is used to create or update user roles. The application does not implement any anti-CSRF tokens or other validation mechanisms to ensure that requests originate from an authenticated user's session. The vulnerability is present in the version as released on the official GitHub repository [1].

Exploitation

An attacker can craft a malicious HTML page or email that, when visited by an authenticated administrator, triggers a forged request to /role/saveOrUpdateRole.do. The attacker does not need any special network position beyond being able to deliver the payload to the victim (e.g., via a link or embedded content). No authentication is required for the attacker; the victim must be logged into MCMS with administrative privileges. The forged request can include arbitrary parameters to modify existing roles or create new roles with elevated permissions.

Impact

Successful exploitation allows the attacker to escalate privileges by modifying role permissions or creating new administrative accounts. This can lead to full compromise of the MCMS instance, including unauthorized access to sensitive data, modification of site content, and potential lateral movement within the hosting environment. The impact is high as it directly affects the integrity and confidentiality of the system.

Mitigation

As of the publication date (2022-04-22), no official patch or fixed version has been released by the vendor. The available references do not provide a workaround or mitigation steps [2]. Users should monitor the MCMS repository for updates and consider implementing generic CSRF protections, such as adding anti-CSRF tokens to sensitive endpoints, until a patch is available.