usd-2023-0035 | Cross-Site Request Forgery in hugocms

Advisory ID: usd-2023-0035
Product: hugocms
Affected Version: (latest as of 25.09.2023; commit 77443d6)
Vulnerability Type: CWE-352: Cross-Site Request Forgery (CSRF)
Security Risk: HIGH
Vendor URL: https://hugoeditor.com/
Vendor Acknowledged Vulnerability: Yes
Vendor Status: Fixed
Advisory Status: Published
CVE Number: CVE-2023-49325
First Published: 2024-07-18
Last Update: 2024-07-18

Desciption

The application hugocms, developed by Inter-Data, provides a frontend for the static site generator hugo to manage posts and other aspects of the site. The application does not provide any access-control mechanism and recommends to restrict access via a web server's basic auth capabilities.

No mechanism is implemented to prevent cross-site request forgery. All functionality of hugocms is affected. In the worst case, a manipulated website can redirect users to hugocms and execute system commands.

Proof of Concept

Clicking a link like http://10.1.1.157/public/edit/hugocms/editor.control.php?action=system&data=id or directly redirecting a user to the respective address triggers a command execution of id.

Timeline

  • 2023-09-25: Vulnerability identified by Florian Dewald.
  • 2023-10-02: Sent first contact request.
  • 2023-10-16: Sent reminder email mentioning disclosure deadline.
  • 2023-10-25: Sent another reminder stressing that vulnerabilities will be publicly disclosed.
  • 2023-11-13: Sent another reminder stressing our deadline and that vulnerabilities will be publicly disclosed if we receive no answer.
  • 2023-11-22: Reached vendor via phone, sent vulnerability information.
  • 2023-12-04: Sent status update request to info@inter-data.de
  • 2023-12-06: Inter-Data reports that a fix is being worked on.
  • 2024-01-03: According to Inter-Data a fix is in the works and should be finished soon.
  • 2024-01-24: Reached out to Inter-Data for another status update.
  • 2024-01-26: Inter-Data reports that the vulnerability is fixed.
  • 2024-07-18: This advisory is published.

Credits

This security vulnerability was identified by Florian Dewald of usd AG.