Plattform
php
Komponente
khodakhah/nodcms
Behoben in
1.0.1
3.4.2
CVE-2016-20054 describes a cross-site request forgery (CSRF) vulnerability discovered in khodakhah/nodcms, a PHP-based content management system. This vulnerability allows attackers to trick authenticated administrators into performing unauthorized actions, potentially leading to account creation or modification of application settings. The vulnerability affects versions of nodcms up to and including 3.4.1. Mitigation involves upgrading to a patched version of the CMS.
The primary impact of CVE-2016-20054 is the potential for unauthorized administrative actions. An attacker could craft malicious HTML forms that, when submitted by an authenticated administrator, would execute commands as that administrator. This could include creating new user accounts with elevated privileges, modifying critical application settings, or even deleting data. The blast radius is limited to the scope of administrative actions within the nodcms application. Successful exploitation requires an administrator to be actively browsing the application when the malicious form is presented, typically through a phishing attack or compromised website.
CVE-2016-20054 was published on 2026-04-04. There is no indication of active exploitation or inclusion in the CISA KEV catalog. Public proof-of-concept (POC) code is not readily available, but the vulnerability's nature makes it relatively straightforward to exploit given access to an authenticated administrator session.
Organizations using khodakhah/nodcms for their content management needs, particularly those with multiple administrators or those who allow administrators to access the application from untrusted networks, are at risk. Shared hosting environments where multiple users share the same nodcms instance are also particularly vulnerable.
• php / web:
curl -I <nodcms_admin_url>/admin/user_manipulate | grep -i 'content-type: application/x-www-form-urlencoded'• php / web: Examine the source code of admin/user_manipulate and admin/settings/generall for missing CSRF tokens or inadequate input validation.
disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2016-20054 is to upgrade to a patched version of khodakhah/nodcms. Unfortunately, specific patched versions are not provided in the CVE data. As a temporary workaround, implement strict input validation and output encoding on all administrative endpoints (admin/user_manipulate and admin/settings/generall). Consider implementing CSRF tokens on all forms to prevent unauthorized submissions. After upgrading, confirm the vulnerability is resolved by attempting to submit a crafted CSRF request to the affected endpoints and verifying that it is rejected.
Aktualisieren Sie nodCMS auf eine korrigierte Version, die diese Cross-Site Request Forgery (CSRF) Schwachstelle behebt. Überprüfen Sie die offizielle nodCMS-Dokumentation für spezifische Aktualisierungsanweisungen und verfügbare korrigierte Versionen. Implementieren Sie zusätzliche Sicherheitsmaßnahmen, wie z. B. Eingabevalidierung und Ausgabecodierung, um das Risiko von CSRF-Angriffen zu mindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2016-20054 is a cross-site request forgery vulnerability in khodakhah/nodcms versions up to 3.4.1, allowing attackers to perform unauthorized admin actions.
You are affected if you are using khodakhah/nodcms versions 3.4.1 or earlier. Upgrade to a patched version as soon as possible.
Upgrade to a patched version of khodakhah/nodcms. Implement CSRF tokens and input validation as a temporary workaround.
There is no current evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Official advisories are not readily available; consult the NVD entry for more information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.