Headline
CVE-2022-44387: EyouCMS v1.5.9 has a vulnerability, Cross-site request forgery(CSRF) · Issue #29 · weng-xianhu/eyoucms
EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Basic Information component under the Edit Member module.
EyouCMS v1.5.9 has a vulnerability, Cross-site request forgery(CSRF).Located in the backend, member center, edit member profile. To exploit this vulnerability, a constructed HTML file needs to be opened
- Enter the background - > member center - > edit members - > basic information
Construct a request package to modify the membership level and login password, among other basic information
The figure above shows the constructed web code, and the password is changed to “csrftest” through CSRF, and the membership level is changed to premium membership (100 days).
View profile
In this case, the password is “test01” and the membership level is registered member
Click on the constructed web page
Return to the client refresh page to log in to test01 again, the password has been changed to "csrftest", and the membership level has been changed to premium membership
At this point the password has been changed to "csrftest"
The client views personal information:
View the test01 user's profile in the background: