CVE-2020-18326 – This CSRF vulnerability in Subrion CMS allows r... (How to Fix)

Q: What is the severity of CVE-2020-18326?

CVE-2020-18326 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in Subrion CMS allows remote attackers to create arbitrary administrator accounts without authentication by tricking authenticated administrators into visiting malicious web pages. It affects all Subrion CMS installations running version 4.2.1 that have the Members administrator function enabled. Attackers can gain full administrative control of vulnerable CMS instances.

📋 TL;DR

This CSRF vulnerability in Subrion CMS allows remote attackers to create arbitrary administrator accounts without authentication by tricking authenticated administrators into visiting malicious web pages. It affects all Subrion CMS installations running version 4.2.1 that have the Members administrator function enabled. Attackers can gain full administrative control of vulnerable CMS instances.

💻 Affected Systems

Products:

Intelliants Subrion CMS

Versions: 4.2.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the Members administrator function to be accessible, which is typically enabled by default in affected versions.

📦 What is this software?

Subrion Cms by Intelliants

View all CVEs affecting Subrion Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the CMS with attacker creating persistent admin accounts, leading to data theft, defacement, malware injection, and lateral movement to connected systems.

🟠

Likely Case

Attackers create hidden admin accounts to maintain persistent access, modify content, steal sensitive data, or use the CMS as a foothold for further attacks.

🟢

If Mitigated

With proper CSRF protections, the attack fails and administrators remain protected from unauthorized account creation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires tricking an authenticated administrator into clicking a malicious link or visiting a compromised page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.2 or later

Vendor Advisory: http://subrion.com/forums/threads/subrion-4-2-2-is-available.12468/

Restart Required: No

Instructions:

1. Backup your Subrion CMS installation and database. 2. Download Subrion CMS 4.2.2 or later from the official website. 3. Replace all files with the new version, preserving configuration files. 4. Clear browser cache and cookies. 5. Verify the Members administrator function now has CSRF protection.

🔧 Temporary Workarounds

CSRF Token Implementation

all

Manually add CSRF tokens to the Members administrator function forms

Modify /admin/members/ PHP files to include CSRF token validation

Disable Members Administrator Function

all

Temporarily disable the vulnerable Members function in admin panel

Navigate to Admin Panel > Configuration > disable Members module if possible

🧯 If You Can't Patch

Implement strict SameSite cookie policies and Content Security Policy headers
Use browser extensions that block CSRF attempts and require administrator users to log out when not actively using the CMS

🔍 How to Verify

Check if Vulnerable:

Check if running Subrion CMS version 4.2.1 and test if Members admin function accepts requests without CSRF tokens

Check Version:

Check /includes/constants.php for define('IA_VERSION', '4.2.1'); or view version in admin dashboard

Verify Fix Applied:

After updating, verify that POST requests to Members admin function require valid CSRF tokens

📡 Detection & Monitoring

Log Indicators:

Unexpected administrator account creation events
Multiple failed login attempts followed by successful admin creation
POST requests to /admin/members/ without referrer headers

Network Indicators:

HTTP requests to Members admin endpoints from unexpected sources
Lack of CSRF tokens in admin form submissions

SIEM Query:

source="web_logs" AND (uri_path="/admin/members/" AND http_method="POST") AND NOT csrf_token=*

📊 Metadata

CVE ID: CVE-2020-18326

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: March 4, 2022

Last Updated: November 21, 2024

🔗 References

http://intelliants.com Vendor Advisory
http://subrion.com Product
https://github.com/hamm0nz/CVE-2020-18326 Exploit,Third Party Advisory
http://intelliants.com Vendor Advisory
http://subrion.com Product
https://github.com/hamm0nz/CVE-2020-18326 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-18326, you might also want to check these: