Papoo CMS Cross Site Request Forgery

2021.04.05

Credit: Reinhard Westerholt

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-352

Advisory: CSRF Vulnerability in Papoo CMS
Advisory ID: rADV-2021-01
Author: Reinhard Westerholt
Affected Software: 21.02 Rev. 04f1ca6 - Papoo Light
                   6.0.1 Rev. 4770    - Papoo Pro
Vendor URL: http://www.papoo.de/
Vendor Status: fixed
CVE-ID: -

==========================
Vulnerability Description:
==========================

The Papoo CMS is vulnerable against CSRF attacks due to missing CSRF protection.

==================
Technical Details:
==================

Formulars of the administration interfaces are not protected against CSRF attacks, therefore an attacker could change the admin password through a cross-site remote request.


=========
Solution:
=========

Update to the latest version

====================
Disclosure Timeline:
====================
08-Mar-2021 – found CSRF weakness
09-Mar-2021 - informed the developers 
19-Mar-2021 - fix published by vendor
03-Apr-2021 - published this security advisory


========
Credits:
========

Vulnerability found and advisory written by Reinhard Westerholt.

===========
References:
===========

http://www.papoo.de/
https://github.com/raginx/security

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Papoo CMS Cross Site Request Forgery

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.