CVE-2022-29647

Vulnerability

MCMS version 5.2.7 contains a Cross-Site Request Forgery (CSRF) vulnerability in the background user addition functionality. The /ms/basic/manager/save.do endpoint does not include a CSRF token or perform referer validation, allowing an attacker to craft a malicious page that, when visited by an authenticated administrator, silently adds a new administrator account [1][2].

Exploitation

An attacker must first trick an authenticated MCMS administrator into visiting a specially crafted HTML page while the administrator's session is active. The attacker can use a tool such as Burp Suite to generate a CSRF payload from the legitimate add-admin request and embed it in a local HTML file. When the administrator opens this file in the same browser where they are logged into MCMS, the request is automatically submitted, creating a new administrative user without the administrator's knowledge or interaction beyond the initial page visit [2].

Impact

Successful exploitation grants the attacker full administrative privileges over the MCMS instance. The attacker can then access and control all CMS functions, including content management, user management, and system configuration, leading to a complete compromise of the application and its data [1][2].

Mitigation

As of the publication date (2022-05-31), no official patch has been released for MCMS 5.2.7. The vendor has not announced a fixed version. Administrators should implement CSRF protections such as adding anti-CSRF tokens to sensitive endpoints, validating the HTTP Referer header, or restricting the use of the affected endpoint to safe methods. Monitoring for unexpected administrator accounts is also recommended [1][2].