Description

Cross-site request forgery (CSRF) vulnerability in CMS Made Simple before 2.1.6 allows remote attackers to hijack the authentication of administrators for requests that create accounts via an admin/adduser.php request.

Remediation

Update to CMS Made Simple 2.1.6 or later.

References

https://www.cmsmadesimple.org/2016/12/Announcing-CMSMS-v2-1-6-Spanish-Wells/

https://www.cvedetails.com/cve/CVE-2016-7904/

http://www.securityfocus.com/bid/95453

Related Vulnerabilities

WordPress Plugin Portfolio-WordPress Portfolio Cross-Site Request Forgery (2.8.8)

WordPress Plugin Shareaholic-share buttons, related posts, social analytics & more Cross-Site Request Forgery (7.0.3.3)

WordPress Plugin WP Photo Album Plus Cross-Site Request Forgery (4.8.11)

WordPress Plugin WP Project Manager-Task, team, and project management featuring kanban board and gantt charts Cross-Site Request Forgery (2.4.0)

WordPress Plugin Software License Manager Cross-Site Request Forgery (4.5.0)

Severity

Medium

Classification

CVE-2016-7904 CWE-352 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

CSRF