Exploit
CVE-2024-9281

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Sep 27, 2024 / Updated: 53d ago

010
CVSS 6.9EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A vulnerability classified as problematic has been discovered in bg5sbk MiniCMS versions up to 1.11. The issue affects unknown processing in the file post-edit.php, leading to cross-site request forgery (CSRF). This vulnerability can be exploited remotely and requires user interaction. The exploit has been publicly disclosed and may be actively used.

Impact

If successfully exploited, this vulnerability could allow an attacker to perform actions on behalf of an authenticated user without their knowledge or consent. The primary impact is on the integrity of the system, with a low severity. There is no direct impact on confidentiality or availability of the system. The CVSS v3.1 base score is 4.3 (Medium), while the CVSS v4.0 base score is 6.9 (Medium).

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an available patch. The vendor was contacted about this disclosure but did not respond, suggesting that a patch may not be currently available.

Mitigation

1. Implement CSRF tokens in all forms and state-changing requests. 2. Use the SameSite cookie attribute to limit the scope of session cookies. 3. Implement proper Cross-Origin Resource Sharing (CORS) policies. 4. Educate users about the risks of clicking on untrusted links while authenticated to the application. 5. Consider updating to a newer version of the CMS if one becomes available that addresses this vulnerability. 6. Monitor for any vendor responses or patch releases related to this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9281

Sep 27, 2024 at 1:15 PM
First Article

Feedly found the first article mentioning CVE-2024-9281. See article

Sep 27, 2024 at 1:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 27, 2024 at 1:25 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 27, 2024 at 1:38 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 27, 2024 at 3:48 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 27, 2024 at 7:43 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Sep 28, 2024 at 9:21 AM
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 4, 2024 at 9:10 PM
Static CVE Timeline Graph

Affected Systems

Bg5sbk/minicms
+null more

Exploits

https://github.com/bg5sbk/MiniCMS/issues/51
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

CVE-2024-9281 Exploit
CVE Id : CVE-2024-9281 Published Date: 2024-10-04T18:15:00+00:00 A vulnerability was found in bg5sbk MiniCMS up to 1.11 and classified as problematic. This issue affects some unknown processing of the file post-edit.php. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions confusing version and file name information. The vendor was contacted early about this disclosure but did not respond in any way. inTheWild added a link to an exploit:
Update Thu Oct 3 22:28:08 UTC 2024
Update Thu Oct 3 22:28:08 UTC 2024
Update Sun Sep 29 06:28:03 UTC 2024
Update Sun Sep 29 06:28:03 UTC 2024
CVE-2024-9281
The initial researcher advisory mentions confusing version and file name information. Gravedad 3.1 (CVSS 3.1 Base Score)
BG5SBK MINICMS CVE-2024-9281 CVE-2024-9281 bg5sbk MiniCMS post-edit.php cross-site request forgery A vulnerability was found in bg5sbk MiniCMS up to 1.11 and classified as problematic. This issue affects some unknown processing of the file post-edit.php. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions confusing version and file name information. The vendor was contacted early about this disclosure but did not respond in any way. https://www. cve.org/CVERecord?id=CVE-2024- 9281 https:// vuldb.com/?id.278663 https:// vuldb.com/?ctiid.278663 https:// vuldb.com/?submit.411164 https:// github.com/bg5sbk/MiniCMS/issu es/51 # bg5sbk # MiniCMS # CVE_2024_9281 # bot
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI