CVE-2021-25976

In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known.

Published: Nov 16, 2021
Updated: May 9, 2024
CVE: CVE-2021-25976
GHSA: GHSA-ppq7-88c7-q879
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:H/Au:N/C:N/I:P/A:P

CWEs:

CWE-352

Affected Software
References

Software	From	Fixed in
dotnetfoundation / piranha_cms	4.0.0	4.0.0.x
dotnetfoundation / piranha_cms	4.0.0-rc1	4.0.0-rc1.x
dotnetfoundation / piranha_cms	4.0.0-beta1	4.0.0-beta1.x
dotnetfoundation / piranha_cms	4.0.0-alpha1	4.0.0-alpha1.x
dotnetfoundation / piranha_cms	4.0.0-alpha3	4.0.0-alpha3.x
dotnetfoundation / piranha_cms	4.0.0-alpha4	4.0.0-alpha4.x
dotnetfoundation / piranha_cms	4.0.0-alpha5	4.0.0-alpha5.x
dotnetfoundation / piranha_cms	4.0.0-alpha6	4.0.0-alpha6.x
dotnetfoundation / piranha_cms	4.0.0-alpha7	4.0.0-alpha7.x
dotnetfoundation / piranha_cms	4.0.0-alpha8	4.0.0-alpha8.x
dotnetfoundation / piranha_cms	4.0.0-alpha9	4.0.0-alpha9.x
dotnetfoundation / piranha_cms	4.0.1	9.2.x
Piranha	4.0.0-alpha1	10.0-alpha1

Vulnerability Database

CVE-2021-25976

Deep Security Visibility Without the Complexity