Published: 03/02/2022 Updated: 11/04/2024

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, which allows Remote malicious users to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. NOTE: the vendor disputes this because the attack requires a session cookie of a high-privileged authenticated user who is entitled to install arbitrary add-ons

Vulnerable Product	Search on Vulmon	Subscribe to Product
backdropcms backdrop 1.20.0

CSRF to RCE on Backdrop CMS 120 This PoC describe how to exploit CSRF on Backdrop CMS Version 120 with escalation to RCE ## CVE ID CVE-2021-45268 Description The Backdrop CMS version 120 allows plugins to be added via ZIP files uploaded to the site And because it does not have anti-CSRF protection, it is possible for an attacker to create a plugin with a file that allows e

CWE-352 https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS https://www.exploit-db.com/exploits/50323 https://nvd.nist.gov https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2021-45268

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect