CPE matches: cpe:2.3:a:kan-studio:kandidat_cms:1.4.2:*:*:*:*:*:*:*
Multiple cross-site request forgery (CSRF) vulnerabilities in Kandidat CMS 1.4.2 allow remote attackers to hijack the authentication of administrators for requests that (1) modify settings via a validate action to admin/settings.php, (2) modify pages via the what parameter to admin/edit.php, or (3) modify articles via the edit parameter to admin/news.php.
- Limited modification of data and/or system files.
- Limited access to information.
- Reduced performance (partial DoS).
- Remote attacking is possible through the network and can be done by anyone (requires no authentication).
- Human user action interaction is required for the attack.
Damage and attack conditions obtained from AV:N/AC:M/Au:N/C:P/I:P/A:P (CVSSv2)
Type of bug(s)
- CWE-352, Cross-Site Request Forgery (CSRF):
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.