Gila CMS 1.11.3 CSRF

    Disclosure date:  9/23/19

    Gila CMS 1.11.3 and possibly before are affected by a Cross Site Request Forgery vulnerability due to a lack of CSRF protection.  This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.

    Users page:





    Malicious page:





    When the administrator is tricked into clicking the malicious link, we get the following response:





    When we refresh the Users page, we see newly created user:



    © 2020 sevenlayers.com