CVE-2019-20390

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a panel/uploads/read.json?cmd=rm URL (removing this token) and send it to the victim.

Published: May 15, 2020
Updated: Apr 13, 2023
CVE: CVE-2019-20390
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:N/I:P/A:P

CWEs:

CWE-352

Affected Software
References

Software	From	Fixed in
intelliants / subrion	4.2.1	4.2.1.x

http://packetstormsecurity.com/files/157700/Subrion-CMS-4.2.1-Cross-Site-Request-Forgery.html

Vulnerability Database

CVE-2019-20390