CVE-2020-25262:
PyroCMS Vulnerable to CSRF
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.34959%
CWE
Published
5/24/2022
Updated
4/25/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
pyrocms/pyrocms | composer | <= 3.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from handling a destructive action (page deletion) via GET request without CSRF protection. In typical Laravel
implementations (which PyroCMS
uses), such actions should use POST
/DELETE
methods with CSRF tokens. The admin/pages/delete/{id}
URI pattern suggests it maps to a delete method in the PagesController
. The exploit demonstrates CSRF through GET requests, indicating missing CSRF middleware validation on this endpoint. While exact code isn't available, the URI structure and Laravel
conventions strongly suggest the controller method handling this route is vulnerable.