CVE-2024-24470

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in flusity-CMS version v2.33 in the /core/tools/update_post.php component. The component does not implement any anti-CSRF tokens or origin validation, allowing an attacker to craft a malicious request that performs actions on behalf of an authenticated administrator. The affected version is v2.33 as confirmed by the advisory [1].

Exploitation

An attacker must trick an authenticated administrator into visiting a crafted HTML page (e.g., via email or a compromised site) that automatically submits a POST request to http://127.0.0.1/core/tools/update_post.php with parameters such as mode=edit, post_id, role=admin, and other post fields. The provided proof-of-concept (PoC) demonstrates a form that, when submitted, modifies an existing post without the victim's knowledge or consent [1]. No additional user interaction beyond visiting the page is required if the form is auto-submitted via JavaScript.

Impact

Successful exploitation allows the attacker to perform any action that the victim administrator can perform through the update_post.php endpoint, such as editing posts. Depending on the CMS configuration, this could lead to arbitrary code execution if the post content is rendered unsafely or if the attacker can inject malicious code that is executed on the server. The official description states that arbitrary code execution is possible [1].

Mitigation

As of the publication date (2024-02-02), no official patch or fixed version has been released for flusity-CMS v2.33. The vendor has not provided a security update. Administrators should implement CSRF protection mechanisms, such as adding unique tokens to forms and verifying the Origin or Referer header, until a patch is available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.