CVE-2024-25418

Vulnerability

flusity-CMS version v2.33 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /core/tools/delete_menu.php component. The endpoint accepts POST requests to delete menu items without validating a CSRF token or other anti-forgery measures. An attacker can craft a malicious HTML form that, when submitted by an authenticated administrator, triggers an unintended menu deletion. The affected version is explicitly v2.33 as reported in the advisory [1].

Exploitation

To exploit this vulnerability, an attacker must host a crafted HTML page containing a form that submits a POST request to /core/tools/delete_menu.php with parameters such as action=delete_menu_item and a target menu_item_id. The attacker then lures an authenticated administrator into visiting the malicious page, either by clicking a link or through other social engineering techniques. The form can be auto-submitted using JavaScript or require a single click. No additional authentication or network position is required beyond the victim's active session. The provided proof-of-concept demonstrates a simple form that, upon submission, deletes a menu item with ID 12 [1].

Impact

Successful exploitation allows an attacker to delete arbitrary menu items in the flusity-CMS backend without the administrator's consent. This can lead to defacement of the site's navigation structure, loss of menu content, and potential disruption of user experience. The attack does not grant the attacker elevated privileges or access to sensitive data, but it enables unauthorized modification of the CMS configuration. The impact is limited to the menu management functionality.

Mitigation

As of the publication date (2024-02-11), no official patch or fixed version has been released by the vendor. The advisory does not mention any workaround or mitigation steps. Administrators should monitor the flusity-CMS repository for updates and consider implementing CSRF protection mechanisms, such as including a unique token in each form submission and validating it server-side, until a permanent fix is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing.