Headline
CVE-2021-45017: There is a csrf vulnerability in catfish - <=6.3.0 · Issue #8 · xwlrbh/Catfish
Cross Site Request Forgery (CSRF) vulnerability exits in Catfish <=6.1.* when you upload an html file containing CSRF on the website that uses a google editor; you can specify the menu url address as your malicious url address in the Add Menu column.
[Suggested description]
Cross Site Request Forgery (CSRF) vulnerability exists incatfish - <=6.3.0. First, you upload an html file containing csrf on the website
that uses a google editor, (you only need to search in google:
inurl:catfishcms/index.php/admin/Index/addmenu.html and then use the authoity of this
When you have background permissions and want to induce other users to perform sensitive operations, you can specify the menu url address as your malicious url address in the Add Menu column
[Vulnerability Type]
Cross Site Request Forgery (CSRF)
[Vendor of Product]
https://github.com/xwlrbh/Catfish
[Affected Product Code Base]
catfish - <=6.3.0
[Affected Component]
To find a website that uses this editor, you only need to search in google: inurl:catfishcms/index.php/admin/Index/addmenu.html
Because this is the feature file of this editor
[Attack Type]
Remote
[Impact Code execution]
true
Attackers can use websites trusted by users to perform dangerous operations
[Attack Vectors]
<title>csrf test</title> // your target url
