Cross-Site Request Forgery Vulnerability in Cotonti Siena by Cotonti
CVE-2026-58143
What is CVE-2026-58143?
Cotonti Siena versions 0.9.26 and earlier are susceptible to a Cross-Site Request Forgery vulnerability that poses serious implications for the security of administrator configurations. This flaw allows unauthenticated attackers to exploit the application by tricking a logged-in administrator into submitting a forged POST request directed at the admin.php config update handler. Notably, the application fails to invoke CSRF validation upon this action, which can result in the modification of sensitive configuration settings. Exploiters can disable the PFS module's file extension whitelist, thereby enabling any user with PFS access to upload and execute arbitrary PHP files on the server. This vulnerability emphasizes the importance of implementing robust CSRF protection measures to safeguard administrative functions.
Affected Version(s)
Cotonti 0 <= 0.9.26
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
