Cross-Site Request Forgery in LayerBB Software
CVE-2018-17996

6.5MEDIUM

Key Information:

Vendor

Layerbb

Status
Layerbb
Vendor
CVE Published:
21 March 2019

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2018-17996?

LayerBB versions prior to 1.1.3 are vulnerable to Cross-Site Request Forgery (CSRF) attacks. This flaw allows an attacker to make unauthorized actions on behalf of an authenticated user. Specifically, it enables the addition of new users via admin/new_user.php, deletion of users via admin/members.php/delete_user/, and the deletion of content through mod/delete.php. Exploiting this vulnerability can lead to significant unauthorized changes within the LayerBB application, posing risks to user management and content integrity.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-17996 - Proof of Concept

References

http://packetstormsecurity.com/files/151694/LayerBB-1.1.2...
x_refsource_MISC
https://www.exploit-db.com/exploits/46379/
exploitx_refsource_EXPLOIT-DB
https://github.com/AndyRixon/LayerBB/issues/38
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.