Nodcms contient une vulnérabilité de Cross-Site Request Forgery (CSRF)
Plateforme
php
Composant
khodakhah/nodcms
Corrigé dans
1.0.1
3.4.2
CVE-2016-20054 describes a cross-site request forgery (CSRF) vulnerability discovered in khodakhah/nodcms, a PHP-based content management system. This vulnerability allows attackers to trick authenticated administrators into performing unauthorized actions, potentially leading to account creation or modification of application settings. The vulnerability affects versions of nodcms up to and including 3.4.1. Mitigation involves upgrading to a patched version of the CMS.
Impact et Scénarios d'Attaquetraduction en cours…
The primary impact of CVE-2016-20054 is the potential for unauthorized administrative actions. An attacker could craft malicious HTML forms that, when submitted by an authenticated administrator, would execute commands as that administrator. This could include creating new user accounts with elevated privileges, modifying critical application settings, or even deleting data. The blast radius is limited to the scope of administrative actions within the nodcms application. Successful exploitation requires an administrator to be actively browsing the application when the malicious form is presented, typically through a phishing attack or compromised website.
Contexte d'Exploitationtraduction en cours…
CVE-2016-20054 was published on 2026-04-04. There is no indication of active exploitation or inclusion in the CISA KEV catalog. Public proof-of-concept (POC) code is not readily available, but the vulnerability's nature makes it relatively straightforward to exploit given access to an authenticated administrator session.
Qui Est à Risquetraduction en cours…
Organizations using khodakhah/nodcms for their content management needs, particularly those with multiple administrators or those who allow administrators to access the application from untrusted networks, are at risk. Shared hosting environments where multiple users share the same nodcms instance are also particularly vulnerable.
Étapes de Détectiontraduction en cours…
• php / web:
curl -I <nodcms_admin_url>/admin/user_manipulate | grep -i 'content-type: application/x-www-form-urlencoded'• php / web: Examine the source code of admin/user_manipulate and admin/settings/generall for missing CSRF tokens or inadequate input validation.
Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Aucun — aucun impact sur la confidentialité.
- Integrity
- Faible — l'attaquant peut modifier certaines données avec un impact limité.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Informations sur le paquet
- Dernière mise à jour
- 3.3.0il y a 46 mois
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2016-20054 is to upgrade to a patched version of khodakhah/nodcms. Unfortunately, specific patched versions are not provided in the CVE data. As a temporary workaround, implement strict input validation and output encoding on all administrative endpoints (admin/user_manipulate and admin/settings/generall). Consider implementing CSRF tokens on all forms to prevent unauthorized submissions. After upgrading, confirm the vulnerability is resolved by attempting to submit a crafted CSRF request to the affected endpoints and verifying that it is rejected.
Comment corriger
Mettez à jour nodCMS vers une version corrigée qui résout cette vulnérabilité de Cross-Site Request Forgery (CSRF). Consultez la documentation officielle de nodCMS pour obtenir des instructions de mise à jour spécifiques et les versions corrigées disponibles. Implémentez des mesures de sécurité supplémentaires, telles que la validation des entrées et l'encodage des sorties, pour atténuer le risque d'attaques CSRF.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2016-20054 — CSRF in khodakhah/nodcms?
CVE-2016-20054 is a cross-site request forgery vulnerability in khodakhah/nodcms versions up to 3.4.1, allowing attackers to perform unauthorized admin actions.
Am I affected by CVE-2016-20054 in khodakhah/nodcms?
You are affected if you are using khodakhah/nodcms versions 3.4.1 or earlier. Upgrade to a patched version as soon as possible.
How do I fix CVE-2016-20054 in khodakhah/nodcms?
Upgrade to a patched version of khodakhah/nodcms. Implement CSRF tokens and input validation as a temporary workaround.
Is CVE-2016-20054 being actively exploited?
There is no current evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Where can I find the official khodakhah/nodcms advisory for CVE-2016-20054?
Official advisories are not readily available; consult the NVD entry for more information.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.