Miggo Logo
Miggo Vulnerability Database
CVE-2018-16552

CVE-2018-16552:
MicroPyramid Django-CRM CSRF

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2018-16552
GHSA ID
GHSA-hq4r-47qc-3jhc
EPSS Score
0.35071%
CWE
CWE-352
Published
5/13/2022
Updated
9/16/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Django-CRMpip<= 0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing CSRF protection on state-changing endpoints. In Django, views handling POST requests typically require either CsrfViewMiddleware or @csrf_protect decorator. The confirmed vulnerable endpoints (/users/create/, /users/##/edit/, /accounts/##/delete/) map directly to these view functions, which would normally handle user creation, editing, and deletion operations. The absence of CSRF tokens in exploit POC requests indicates these views lack proper CSRF validation mechanisms. Django's class-based views like CreateView/UpdateView/DeleteView would be the logical implementations for these endpoints, making them the vulnerable components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*roPyr*mi* *j*n*o-*RM *.* *llows *SR* *or `/us*rs/*r**t*/`, `/us*rs/##/**it/`, *n* `/***ounts/##/**l*t*/` URIs.

Reasoning

T** vuln*r**ility st*ms *rom missin* *SR* prot**tion on st*t*-***n*in* *n*points. In *j*n*o, vi*ws **n*lin* POST r*qu*sts typi**lly r*quir* *it**r *sr*Vi*wMi**l*w*r* or @*sr*_prot**t ***or*tor. T** *on*irm** vuln*r**l* *n*points (/us*rs/*r**t*/, /us*