CVE-2021-25976 Piranha CMS - Site-wide Cross-Site Request Forgery (CSRF)

2021-11-1609:05:12

CWE-352

Mend

www.cve.org

piranha cms

csrf vulnerability

cross-site request forgery

security issue

version 4.0.0-alpha1

version 9.2.0

management system

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

30.2%

JSON

In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known.

CNA Affected

[
  {
    "product": "Piranha",
    "vendor": "PiranhaCMS",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "4.0.0-alpha1",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "9.2.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]