Headline
CVE-2022-44389: EyouCMS v1.5.9 has a vulnerability, Cross-site request forgery(CSRF) · Issue #30 · weng-xianhu/eyoucms
EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit Admin Profile module. This vulnerability allows attackers to arbitrarily change Administrator account information.
EyouCMS v1.5.9 has a vulnerability, Cross-site request forgery(CSRF).Located in the background, edit the administrator profile. This vulnerability may cause the modification of personal information such as administrator password, mobile phone number, and email address. To exploit this vulnerability, a constructed HTML file needs to be opened.
1、Go to the back office - > personal information
The password is “admin123456”
2、Construct a request package to change passwords, mobile phone numbers, email addresses, and other basic information.
The above figure shows the constructed web page code, using CSRF to change its password to "csrftest", the mobile phone number to "11111111111", and the email address to "123@csrf.test".
3、View the administrator’s profile:
At this time, the administrator password is "admin123456", and other information is shown in the preceding figure.
4、Click on the constructed web page.
Return to the backend page to view the administrator’s profile.
Successfully used CSRF to modify mobile phone number and email address.
Verify that the password is changed to "csrftest":
Login successful!