Plateforme
php
Composant
khodakhah/nodcms
Corrigé dans
1.0.1
3.4.2
CVE-2016-20054 describes a cross-site request forgery (CSRF) vulnerability discovered in khodakhah/nodcms, a PHP-based content management system. This vulnerability allows attackers to trick authenticated administrators into performing unauthorized actions, potentially leading to account creation or modification of application settings. The vulnerability affects versions of nodcms up to and including 3.4.1. Mitigation involves upgrading to a patched version of the CMS.
The primary impact of CVE-2016-20054 is the potential for unauthorized administrative actions. An attacker could craft malicious HTML forms that, when submitted by an authenticated administrator, would execute commands as that administrator. This could include creating new user accounts with elevated privileges, modifying critical application settings, or even deleting data. The blast radius is limited to the scope of administrative actions within the nodcms application. Successful exploitation requires an administrator to be actively browsing the application when the malicious form is presented, typically through a phishing attack or compromised website.
CVE-2016-20054 was published on 2026-04-04. There is no indication of active exploitation or inclusion in the CISA KEV catalog. Public proof-of-concept (POC) code is not readily available, but the vulnerability's nature makes it relatively straightforward to exploit given access to an authenticated administrator session.
Organizations using khodakhah/nodcms for their content management needs, particularly those with multiple administrators or those who allow administrators to access the application from untrusted networks, are at risk. Shared hosting environments where multiple users share the same nodcms instance are also particularly vulnerable.
• php / web:
curl -I <nodcms_admin_url>/admin/user_manipulate | grep -i 'content-type: application/x-www-form-urlencoded'• php / web: Examine the source code of admin/user_manipulate and admin/settings/generall for missing CSRF tokens or inadequate input validation.
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2016-20054 is to upgrade to a patched version of khodakhah/nodcms. Unfortunately, specific patched versions are not provided in the CVE data. As a temporary workaround, implement strict input validation and output encoding on all administrative endpoints (admin/user_manipulate and admin/settings/generall). Consider implementing CSRF tokens on all forms to prevent unauthorized submissions. After upgrading, confirm the vulnerability is resolved by attempting to submit a crafted CSRF request to the affected endpoints and verifying that it is rejected.
Mettez à jour nodCMS vers une version corrigée qui résout cette vulnérabilité de Cross-Site Request Forgery (CSRF). Consultez la documentation officielle de nodCMS pour obtenir des instructions de mise à jour spécifiques et les versions corrigées disponibles. Implémentez des mesures de sécurité supplémentaires, telles que la validation des entrées et l'encodage des sorties, pour atténuer le risque d'attaques CSRF.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2016-20054 is a cross-site request forgery vulnerability in khodakhah/nodcms versions up to 3.4.1, allowing attackers to perform unauthorized admin actions.
You are affected if you are using khodakhah/nodcms versions 3.4.1 or earlier. Upgrade to a patched version as soon as possible.
Upgrade to a patched version of khodakhah/nodcms. Implement CSRF tokens and input validation as a temporary workaround.
There is no current evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Official advisories are not readily available; consult the NVD entry for more information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.