CVE-2024-25419

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in flusity-CMS version v2.33. The flaw is located in the /core/tools/update_menu.php component, which handles menu updates without validating a CSRF token or ensuring the request originates from the same site [1]. No authentication check is mentioned for the action, allowing state-changing requests to be forged.

Exploitation

An attacker can craft a malicious HTML page that automatically submits a POST request to /core/tools/update_menu.php when visited by an authenticated victim. The public proof-of-concept [1] sends parameters such as menu_id, menu_name, lang_menu_name, page_url, position, template, show_in_menu, and parent_id to modify an existing menu item. The only requirement is that the victim must be logged into flusity-CMS [1]. The request is submitted via a form with action set to the vulnerable endpoint, using no additional headers or tokens.

Impact

Successful exploitation allows an attacker to modify menu entries in the CMS, potentially changing navigation or redirecting users to malicious pages. The impact is limited to menu configuration changes; the attacker does not gain direct code execution or privilege escalation from this CSRF alone. However, combined with other vulnerabilities, it could facilitate deeper attacks such as stored XSS via menu names or URLs.

Mitigation

As of the publication date (2024-02-11) and based on the reference [1], no official patch has been released for flusity-CMS v2.33. The vendor has not provided a fixed version or workaround. Sites using this version should consider implementing custom CSRF protections, such as adding anti-CSRF tokens to all state-changing forms and verifying the Origin or Referer header. If the CMS is unmaintained, migrating to an alternative solution is recommended.