8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20062

GHSA ID

GHSA-pq7f-cq6q-94xh

EPSS Score

0.38294%

CWE

CWE-352

Published

6/21/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-20062

CVE-2017-20062: Cross-Site Request Forgery in Elefant CMS

A vulnerability was found in Elefant CMS 1.3.12-RC and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2017-20062

GHSA ID

GHSA-pq7f-cq6q-94xh

EPSS Score

0.38294%

CWE

CWE-352

Published

6/21/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
elefant/cms	composer	< 1.3.13	1.3.13

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in endpoints handling state-changing operations (/user/add and /designer/preview) that lacked CSRF protections. The PoC demonstrates these endpoints accept POST requests without token validation. In Elefant CMS architecture, these would correspond to handler functions in respective module directories. The high confidence comes from: 1) Direct correlation between exploit PoC and endpoint functionality 2) CSRF's inherent requirement for missing token validation 3) Vendor patching pattern typically involves adding CSRF checks to these handlers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in *l***nt *MS *.*.**-R* *n* *l*ssi*i** *s pro*l*m*ti*. T*is issu* *****ts som* unknown pro**ssin*. T** m*nipul*tion l***s to *ross-sit* r*qu*st *or**ry. T** *tt**k m*y ** initi*t** r*mot*ly. T** *xploit **s ***n *is*los** t

Reasoning

T** vuln*r**ility m*ni**sts in *n*points **n*lin* st*t*-***n*in* op*r*tions (/us*r/*** *n* /**si*n*r/pr*vi*w) t**t l**k** *SR* prot**tions. T** Po* **monstr*t*s t**s* *n*points ****pt POST r*qu*sts wit*out tok*n v*li**tion. In *l***nt *MS *r**it**tur

8.8

Basic Information

Concerned about an active attack path?

CVE-2017-20062: Cross-Site Request Forgery in Elefant CMS

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI