Miggo Logo

CVE-2018-14519: Kirby CMS 2.5.12 Cross-site Request Forgery

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.20252%
Published
8/25/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
getkirby/cmscomposer<= 2.5.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the page deletion endpoint which lacks CSRF protection. The exploit demonstrates a simple HTML form triggering deletion without requiring anti-CSRF tokens. In MVC architectures like Kirby's, this would map to a controller method handling DELETE requests. The absence of CSRF checks in this state-changing operation makes it vulnerable to forged requests when authenticated users visit malicious pages.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Kir*y *.*.**. T** **l*t* p*** *un*tion*lity su***rs *rom * *SR* *l*w. * r*mot* *tt**k*r **n *r**t * m*li*ious *SR* p*** *n* *or** t** us*r to **l*t* * p***.

Reasoning

T** vuln*r**ility m*ni**sts in t** p*** **l*tion *n*point w*i** l**ks *SR* prot**tion. T** *xploit **monstr*t*s * simpl* *TML *orm tri***rin* **l*tion wit*out r*quirin* *nti-*SR* tok*ns. In MV* *r**it**tur*s lik* Kir*y's, t*is woul* m*p to * *ontroll