Miggo Logo

CVE-2020-23264: Cross-Site Request Forgery in forkcms

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.30502%
Published
6/22/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
forkcms/forkcmscomposer< 5.8.25.8.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing CSRF protections in state-changing backend actions. The GitHub PR #3123 commits show CSRF checks were added to: analytics reset, blog mass actions, module installation, user restoration, and mailmotor pinging. These functions were vulnerable because they handled privileged operations without verifying request authenticity. The high confidence comes from direct correlation between commit messages adding CSRF checks and the CVE description of authentication hijacking via missing CSRF protections.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* r*qu*st *or**ry (*SR*) in *ork-*MS ***or* *.*.* *llow r*mot* *tt**k*rs to *ij**k t** *ut**nti**tion o* lo**** **ministr*tors.

Reasoning

T** vuln*r**ility st*mm** *rom missin* *SR* prot**tions in st*t*-***n*in* ***k*n* **tions. T** *it*u* PR #**** *ommits s*ow *SR* ****ks w*r* ***** to: *n*lyti*s r*s*t, *lo* m*ss **tions, mo*ul* inst*ll*tion, us*r r*stor*tion, *n* m*ilmotor pin*in*. T