CVE-2024-25417

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in flusity-CMS v2.33 via the /core/tools/add_translation.php component. The endpoint does not implement any anti-CSRF tokens or origin validation, making it susceptible to forged requests. Affected versions: v2.33 [1].

Exploitation

An attacker can craft a malicious HTML form that submits a POST request to the vulnerable endpoint with arbitrary translation parameters (e.g., language_code, translation_key, translation_value). The attacker must trick an authenticated administrator into submitting the form, typically by hosting the form on a malicious site or via a phishing email [1].

Impact

Successful exploitation can result in the unauthorized addition of translations within the CMS, potentially leading to content manipulation, defacement, or injection of malicious data that may be rendered to other users. The attack targets an authenticated administrator session [1].

Mitigation

As of the latest information, no official patch has been released. The vendor has not disclosed a fixed version. A workaround is to disable the translation functionality if not needed or implement custom CSRF tokens and origin validation. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of February 2024 [1].