SecuriTricks - CVE-2024-9847

Description

FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress CMS server to perform the desired action on behalf of the victim user. Since the request is authenticated, the server will process it as if it were initiated by the legitimate user, effectively allowing the attacker to perform unauthorized actions. This vulnerability is fixed in version 1.4.dev.

Product(s) Impacted

Vendor	Product	Versions
Flatpress	Flatpress	1.4.dev

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	flatpress	flatpress	1.4.dev	/	/	/	/	/	/	/

References

https://github.com/flatpressblog/flatpress/commit/a81c968f51f134b5e5f9bbe208aa12f4fbc329df

https://huntr.com/bounties/b30ef7b0-74ea-4cac-adc4-1cc8a5cb559e

CVSS Score

8.0 / 10

CVSS Data - 3.0

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: HIGH
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

View Vector String

Timeline

Published: March 20, 2025, 10:15 a.m.
Last Modified: March 20, 2025, 10:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@huntr.dev

CVE-2024-9847