Exploit
CVE-2024-9282

Cross-Site Request Forgery (CSRF) (CWE-352)

Published: Sep 27, 2024 / Updated: 53d ago

010
CVSS 6.9EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A vulnerability has been identified in bg5sbk MiniCMS versions up to, but not including, 1.11. The issue is related to an unknown function in the file page-edit.php, which can be exploited to perform a Cross-Site Request Forgery (CSRF) attack. This vulnerability allows remote attacks and requires user interaction.

Impact

The impact of this vulnerability is primarily on the integrity of the system, with a low effect. There is no direct impact on confidentiality or availability. Attackers could potentially trick users into performing unintended actions on the MiniCMS, which could lead to unauthorized changes or data manipulation. The CVSS v3.1 base score is 4.3 (Medium), while the CVSS v4.0 base score is 6.9 (Medium), indicating a moderate level of severity.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an available patch. The vulnerability affects MiniCMS versions before 1.11, but it's unclear if version 1.11 itself is patched. The vendor (bg5sbk) was contacted about this disclosure but did not respond, which may indicate a lack of immediate patch availability.

Mitigation

While a specific patch is not mentioned, the following mitigation strategies are recommended: 1. Update MiniCMS to the latest version if one becomes available. 2. Implement CSRF tokens in all forms and state-changing requests. 3. Use the 'SameSite' attribute on cookies to limit CSRF risks. 4. Educate users about the risks of clicking on untrusted links. 5. Consider implementing additional security headers like Content-Security-Policy. 6. Monitor for any updates or patches from the vendor (bg5sbk). 7. If possible, restrict access to the affected page-edit.php file. 8. Implement proper session management and user authentication mechanisms. Given the lack of vendor response, consider alternative CMS solutions if timely patches are not provided.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9282

Sep 27, 2024 at 1:15 PM
First Article

Feedly found the first article mentioning CVE-2024-9282. See article

Sep 27, 2024 at 1:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 27, 2024 at 1:25 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Sep 28, 2024 at 9:21 AM
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 4, 2024 at 9:10 PM
Static CVE Timeline Graph

Affected Systems

Bg5sbk/minicms
+null more

Exploits

https://github.com/bg5sbk/MiniCMS/issues/52
+null more

Attack Patterns

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
+null more

News

CVE-2024-9282 Exploit
CVE Id : CVE-2024-9282 Published Date: 2024-10-04T18:33:00+00:00 A vulnerability was found in bg5sbk MiniCMS 1.11. It has been classified as problematic. Affected is an unknown function of the file page-edit.php. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions confusing version and file name information. The vendor was contacted early about this disclosure but did not respond in any way.
Update Sun Sep 29 06:28:03 UTC 2024
Update Sun Sep 29 06:28:03 UTC 2024
CVE-2024-9282
Gravedad 3.1 (CVSS 3.1 Base Score) Affected is an unknown function of the file page-edit.php.
NA - CVE-2024-9282 - A vulnerability was found in bg5sbk MiniCMS...
A vulnerability was found in bg5sbk MiniCMS 1.11. It has been classified as problematic. Affected is an unknown function of the file page-edit.php. The manipulation leads to cross-site request...
CVE-2024-9282 - bg5sbk MiniCMS Cross-Site Request Forgery Vulnerability
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics. The following table lists the changes that have been made to the vulnerability over time.
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI