Miggo Logo

CVE-2021-25976: Cross-Site Request Forgery in PiranhaCMS

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.28793%
Published
11/17/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Piranhanuget>= 4.0.0-alpha1, <= 9.2.010.0-alpha1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from state-changing operations (delete/approve/unapprove) being exposed via HTTP GET endpoints without anti-forgery token validation. The GitHub commit shows these endpoints were modified to use HTTP DELETE/POST methods and decorated with [AutoValidateAntiforgeryToken]. The PoC demonstrates CSRF via GET requests, and the patch explicitly changes HTTP verbs and adds CSRF protection, confirming the original vulnerability vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Pir*n***MS, v*rsions *.*.*-*lp*** to *.*.* *r* vuln*r**l* to *ross-sit* r*qu*st *or**ry (*SR*) w**n p*r*ormin* v*rious **tions support** *y t** m*n***m*nt syst*m, su** *s **l*tin* * us*r, **l*tin* * rol*, **itin* * post, **l*tin* * m**i* *ol**r *t

Reasoning

T** vuln*r**ility st*ms *rom st*t*-***n*in* op*r*tions (**l*t*/*pprov*/un*pprov*) **in* *xpos** vi* *TTP **T *n*points wit*out *nti-*or**ry tok*n v*li**tion. T** *it*u* *ommit s*ows t**s* *n*points w*r* mo*i*i** to us* *TTP **L*T*/POST m*t*o*s *n* **