CVE-2024-26445

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in flusity-CMS v2.33 [1]. The vulnerable endpoint is /core/tools/delete_place.php, which accepts POST parameters action and place_id to delete a place. The endpoint does not implement any anti-CSRF token or origin validation, making it susceptible to cross-site request forgery attacks. The vulnerability affects flusity-CMS version v2.33 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious HTML page that automatically submits a POST request to http://127.0.0.1/core/tools/delete_place.php with the parameters action=delete_place and a target place_id [1]. The attacker hosts this page on a different domain and lures an authenticated administrator to visit it. If the administrator is currently logged into the flusity-CMS instance, the browser will automatically include the session cookie with the forged request, causing the deletion to be processed without the victim's knowledge or consent.

Impact

Successful exploitation allows the attacker to delete arbitrary places within the CMS without authorization [1]. This leads to a loss of data integrity and availability, potentially disrupting site content management. The attack requires no special privileges other than the victim having an active admin session, and no direct interaction from the victim beyond browsing the attacker's page.

Mitigation

As of publication, no official patch or updated version has been released by the vendor [1]. The report confirms the vulnerability in flusity-CMS v2.33. Until a fix is provided, users should implement additional protections, such as adding CSRF tokens to forms, validating Origin and Referer headers, or employing SameSite cookie attributes. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.