FuelCMS 1.4.4 CSRF

    Disclosure date:  08/17/19

    CVE-2019-15229

    FuelCMS 1.4.4 and possibly before are affected by a Cross Site Request Forgery vulnerability in the Create Blocks section of the Admin console.  This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.

    Viewing the Blocks section from the admin console, "No data to display":





    POC:











    When the administrator is tricked into accessing our malicious page:






    Our Block is created and saved.



    © 2020 sevenlayers.com