Miggo Logo

CVE-2022-27340: Cross Site Request Forgery in Mingsoft MCMS

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.51535%
Published
4/23/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
net.mingsoft:ms-mcmsmaven<= 5.2.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability explicitly references /role/saveOrUpdateRole.do as the attack vector
  2. CSRF vulnerabilities typically manifest in state-changing endpoints without anti-CSRF token validation
  3. The path structure suggests a Spring MVC controller handling role management operations
  4. High confidence comes from the direct endpoint reference in CVE details and typical Java web application architecture patterns

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*MS v*.*.* *ont*ins * *ross-Sit* R*qu*st *or**ry (*SR*) vi* /rol*/s*v*OrUp**t*Rol*.*o. T*is vuln*r**ility *llows *tt**k*rs to *s**l*t* privil***s *n* mo*i*y **t*.

Reasoning

*. T** vuln*r**ility *xpli*itly r***r*n**s /rol*/s*v*OrUp**t*Rol*.*o *s t** *tt**k v**tor *. *SR* vuln*r**iliti*s typi**lly m*ni**st in st*t*-***n*in* *n*points wit*out *nti-*SR* tok*n v*li**tion *. T** p*t* stru*tur* su***sts * Sprin* MV* *ontroll*r