CVE-2024-29499

Vulnerability

CVE-2024-29499 describes a Cross-Site Request Forgery (CSRF) vulnerability in Anchor CMS v0.12.7, specifically in the /anchor/admin/users/delete/2 endpoint. The official description states that the application was discovered to contain this flaw [1]. The project is no longer maintained and is not considered production-ready [2], meaning no patches will be provided.

Exploitation

A proof-of-concept (PoC) demonstrates that an attacker can craft a form that automatically submits a request to the vulnerable endpoint when a logged-in admin visits a malicious page [3]. The PoC uses a simple HTML form with action="http://127.0.0.1/anchor/admin/users/delete/2" to trigger a user deletion. The exploitation requires the victim to be authenticated and to interact with the attacker-controlled page (e.g., through a link or embedded content). No other authentication or privileges are needed; the session of the victim is abused.

Impact

Successful exploitation allows an attacker to force the deletion of a specific user (ID 2) without the victim's consent. This could lead to loss of administrative access or disruption of the site's functionality. Since the application is end-of-life and unmaintained [2], any installation running v0.12.7 remains vulnerable.

Mitigation

No patch is available, and the vendor recommends migrating to alternative platforms [2]. Users should restrict access to the admin panel via network controls, implement additional CSRF protections (such as custom tokens or same-site cookies), or consider decommissioning the application.