Miggo Logo
Miggo Vulnerability Database
CVE-2020-23264

CVE-2020-23264: Cross-Site Request Forgery in forkcms

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-23264
GHSA ID
GHSA-82xf-8h9p-c6qj
EPSS Score
0.30502%
CWE
CWE-352
Published
6/22/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
forkcms/forkcmscomposer< 5.8.25.8.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing CSRF protections in state-changing backend actions. The GitHub PR #3123 commits show CSRF checks were added to: analytics reset, blog mass actions, module installation, user restoration, and mailmotor pinging. These functions were vulnerable because they handled privileged operations without verifying request authenticity. The high confidence comes from direct correlation between commit messages adding CSRF checks and the CVE description of authentication hijacking via missing CSRF protections.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* r*qu*st *or**ry (*SR*) in *ork-*MS ***or* *.*.* *llow r*mot* *tt**k*rs to *ij**k t** *ut**nti**tion o* lo**** **ministr*tors.

Reasoning

T** vuln*r**ility st*mm** *rom missin* *SR* prot**tions in st*t*-***n*in* ***k*n* **tions. T** *it*u* PR #**** *ommits s*ow *SR* ****ks w*r* ***** to: *n*lyti*s r*s*t, *lo* m*ss **tions, mo*ul* inst*ll*tion, us*r r*stor*tion, *n* m*ilmotor pin*in*. T