CSRF Vulnerability in Backdrop CMS Allows Remote Code Execution
CVE-2021-45268

8.8HIGH

Key Information:

Vendor: Backdropcms
Status: Backdrop
Vendor: CVE Published:; 3 February 2022

🔔 Create Backdropcms Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2021-45268?

A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop CMS 1.20, allowing remote attackers to potentially execute arbitrary code on the hosting web server. This can be achieved by uploading a malicious add-on containing a crafted PHP file, but the attack necessitates a session cookie from a high-privileged authenticated user who has the capability to install arbitrary add-ons. The vendor has expressed disagreement with the severity of this issue, emphasizing the need for appropriate user privileges.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-45268 - Proof of Concept

References

https://www.exploit-db.com/exploits/50323

x_refsource_MISC

https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 3, 2022
👾
Exploit known to exist
Feb 3, 2022
Vulnerability published
Feb 3, 2022
Vulnerability Reserved
Dec 20, 2021

CVE-2021-45268 Data

JSON