Spina CMS media_folders cross-site request forgery

Vulnerability

Overview

CVE-2024-7106 is a cross-site request forgery (CSRF) vulnerability found in Spina CMS version 2.18.0. The issue resides in the /admin/media_folders functionality, where the application fails to validate the origin of requests. This allows an attacker to craft a malicious web page that, when visited by an authenticated administrator, can submit unauthorized requests to the CMS on their behalf [1][3].

Attack

Vector

The attack is performed remotely by luring an authenticated admin to a specially crafted HTML page (proof of concept exists). The page contains a form that automatically submits a POST request to /admin/media_folders, including parameters such as a new folder name. Since the request is sent with the victim's session cookies, the server processes it as a legitimate action [4]. No additional authentication or user interaction beyond visiting the page is required [1].

Impact

An attacker exploiting this CSRF vulnerability can create, modify, or delete media folders within the Spina CMS admin panel without the victim's knowledge. This unauthorized manipulation of media resources can lead to data integrity issues and potentially serve as a stepping stone for further attacks, such as storing malicious content [3][4].

Mitigation

As of the publication date (2024-07-25), no patched version of Spina CMS has been released. The vendor was contacted but did not respond. Users are advised to implement additional CSRF protections, such as using anti-CSRF tokens and ensuring that sensitive admin actions are protected by same-site cookie attributes [1][3].