This article is a part of our Vulnerability Database (back to index)
Cross-Site Request Forgery occurrences in Yzmcms
YzmCMS v6.3 is affected by Cross Site Request Forgery (CSRF) in /admin.add (2022-02-15, CVE-2022-23384)
YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete user accounts via /admin/admin_manage/delete. (2022-01-28, CVE-2022-23887)
YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgey (CSRF) via the component /yzmcms/comment/index/init.html. (2022-01-28, CVE-2022-23888)
A cross-site request forgery (CSRF) in /controller/pay.class.php of YzmCMS v5.5 allows attackers to access sensitive components of the application. (2021-09-23, CVE-2020-19951)
An issue was discovered in YzmCMS V5.8. There is a CSRF vulnerability that can add member user accounts via member/member/add.html. (2021-06-03, CVE-2020-35972)
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route. (2019-09-21, CVE-2019-16678)
YzmCMS v5.2 has admin/role/add.html CSRF. (2018-12-10, CVE-2018-20015)
An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add a tag via /index.php/admin/tag/add.html. (2018-04-19, CVE-2018-10224)
An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability that can add an admin account via /index.php/admin/admin_manage/add.html. (2018-04-19, CVE-2018-10223)
Why Cross-Site Request Forgery can be dangerous
The absence of Anti-CSRF tokens may lead to a Cross-Site Request Forgery attack that can result in executing a specific application action as another logged in user, e.g. steal their account by changing their email and password or silently adding a new admin user account when executed from the administrator account.
The attacker may copy one of your web application forms, e.g. email/password change form.
The webpage will contain a form with the exact set of fields as the original application but with input values already provided and the submit button replaced with a Javascript code causing auto-submission. When the page is accessed the form will be immediately submitted and page contents replaced with a valid content or a redirect to your original application.
One of your application users who is already logged in can be then tricked to navigate to such malicious page e.g. by clicking a link in a phishing email, and the pre-populated form content will be submitted to your application like it would be submitted by your user.