VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 26, 2026· Updated May 26, 2026

CVE-2026-46620

CVE-2026-46620

Description

e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requiring a token on every state-changing request, it only validates the token if one happens to be present. If there is no token at all, the check is skipped entirely. This vulnerability is fixed in 2.3.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

e107 CMS before 2.3.5 does not enforce CSRF token validation on comment moderation, allowing attackers to delete or approve comments without victim interaction.

Vulnerability

In e107 CMS versions prior to 2.3.5, the session_handler::check() method fails to enforce CSRF token validation on state-changing requests. The token is only validated if present in the request; if absent, the check is skipped entirely. Specific endpoints in comment.php (delete and approve handlers) do not perform any additional token verification, directly calling deleteComment() or approveComment() based on user-supplied parameters. This allows cross-site request forgery attacks against comment moderation actions [1].

Exploitation

An attacker can craft a malicious web page that submits a cross-origin POST request to the vulnerable comment.php endpoints with mode=delete or mode=approve and required parameters (e.g., id, table, itemid). The victim, who must be a logged-in administrator or moderator, only needs to visit the attacker's page. Since no CSRF token is sent with the forged request, the token check is bypassed, and the comment moderation action is executed on behalf of the victim without their knowledge [1].

Impact

An attacker can delete or approve any comment on the e107 site without authorization. This compromises the integrity of the comment data, potentially allowing removal of legitimate comments or approval of spam or malicious comments. The attack does not affect confidentiality or availability [1].

Mitigation

The vulnerability is fixed in e107 CMS version 2.3.5. Users should upgrade to this version or later as soon as possible. No workarounds are available in the published advisory [1].

References
  1. CSRF in comment.php moderation endpoints via token-optional validation in session_handler::check()

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • E107/E107inferred2 versions
    <2.3.5+ 1 more
    • (no CPE)range: <2.3.5
    • (no CPE)range: <2.3.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing CSRF token enforcement in session_handler::check() allows state-changing requests without any token."

Attack vector

An attacker hosts a simple HTML page containing a cross-origin form that POSTs to the victim e107 site's `comment.php` endpoints with `mode=delete` or `mode=approve` and the required comment parameters (`id`, `table`, `itemid`) [ref_id=1]. Because the form omits any `e-token` or `e_token` field, `session_handler::check()` finds no token present and skips validation entirely, allowing the state-changing action to proceed [ref_id=1]. The attack requires no authentication on the attacker's part—only that a logged-in admin or moderator visits the crafted page (e.g., via phishing or social engineering) [ref_id=1].

Affected code

The vulnerability resides in `e107_handlers/session_handler.php` (around line 1108) where `session_handler::check()` only validates a CSRF token if one is present in the request; if no token is sent, the check is skipped entirely [ref_id=1]. Additionally, the delete and approve handlers in `comment.php` (lines 65 and 74) call `deleteComment()` and `approveComment()` directly without performing any token verification beforehand [ref_id=1].

What the fix does

The advisory states that in e107 v2.3.5, token presence is now enforced for state-mutating requests in `session_handler::check()`, and the delete and approve branches in `comment.php` require a valid e-token before executing [ref_id=1]. This closes the attack path by ensuring that every state-changing request must carry a valid CSRF token; requests without a token are rejected rather than silently accepted [ref_id=1].

Preconditions

  • authThe victim must be a logged-in admin or moderator of the e107 CMS site.
  • inputThe attacker must craft a cross-origin HTML form that POSTs to the victim's comment.php endpoints.
  • networkThe victim must navigate to the attacker's page (e.g., via phishing or social engineering).

Reproduction

Step 1 — Confirm initial DB state: `mysql -u e107 -pe107 -h 127.0.0.1 e107 -e "UPDATE e107_comments SET comment_blocked=0 WHERE comment_id=4; SELECT comment_id,comment_blocked FROM e107_comments WHERE comment_id=4;"` (expected: `comment_blocked = 0`). Step 2 — Create the attacker page at a cross-origin host with a form that POSTs to `http://victim.e107.test/comment.php?ajax_used=1&mode=delete` with hidden inputs `id=4`, `table=news`, `itemid=4` and no `e-token` field. Step 3 — Serve the page from a cross-origin host. Step 4 — While the admin is logged in at victim.e107.test, navigate to the attacker page; the form auto-submits. Step 5 — Observe the server returns `{"msg":"Ok","error":false}`. Step 6 — Verify DB state changed: `SELECT comment_id,comment_blocked FROM e107_comments WHERE comment_id=4;` (expected: `comment_blocked = 1`) [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.