Published: 03/02/2022 Updated: 10/02/2022
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

** DISPUTED ** A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote malicious users to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

backdropcms backdrop 1.20.0

Github Repositories

CSRF to RCE on Backdrop CMS 120 This PoC describe how to exploit CSRF on Backdrop CMS Version 120 with escalation to RCE ## CVE ID CVE-2021-45268 Description The Backdrop CMS version 120 allows plugins to be added via ZIP files uploaded to the site And because it does not have anti-CSRF protection, it is possible for an attacker to create a plugin with a file that allows e