CVE-2024-24468

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in flusity-CMS version v2.33. The issue is in the /core/tools/add_customblock.php endpoint, which does not implement any anti-CSRF token or referer check. An attacker can craft a malicious HTML form that, when submitted by an authenticated administrator, creates a new custom block with attacker-controlled content [1].

Exploitation

The attacker must lure an authenticated administrator of the flusity-CMS instance to visit a malicious page (e.g., via a phishing email or malicious link). The page contains a hidden form that automatically submits a POST request to /core/tools/add_customblock.php with attacker-controlled parameters, such as a custom block name and HTML code. No authentication bypass is needed; the attack leverages the victim's existing session. A proof-of-concept using Burp Suite demonstrates the automatic submission [1].

Impact

Successful exploitation allows an attacker to create arbitrary custom blocks within the CMS. Although the immediate impact is limited to adding content, this could be used to inject malicious JavaScript (stored XSS) if the admin later views the block, or to deface the site by adding unwanted blocks. The attacker does not gain direct RCE, but the injection of arbitrary HTML/JS can lead to further compromise, such as session theft or further CSRF attacks [1].

Mitigation

As of publication (2024-02-05), no fix has been released. The vendor had not addressed the issue in the available references. The recommended mitigation is to add CSRF tokens to the add_customblock.php form and validate them on submission. As a workaround, administrators should avoid clicking untrusted links while logged into the CMS, and consider using browser extensions that block automatic form submissions. The affected version is v2.33; no later version is mentioned [1].