CVE-2016-20051

EUVD-2016-10858
Snews CMS 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials without authentication by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that submits POST requests to the changeup action, modifying the admin username and password parameters to gain unauthorized access.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
snewscmssnews
𝑥
≤ 1.7
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.exploit-db.com/exploits/40705
https://www.vulncheck.com/advisories/snews-cms-cross-site-request-forgery-via-changeup