CVE-2021-20102 – Machform versions before 16 are vulnerable to c... (How to Fix)

Q: What is the severity of CVE-2021-20102?

CVE-2021-20102 has a CVSS score of 8.8 (HIGH). Machform versions before 16 are vulnerable to cross-site request forgery (CSRF) attacks due to missing CSRF tokens. This allows attackers to trick authenticated users into performing unintended actions on the form management system. Organizations using Machform for web forms are affected.

📋 TL;DR

Machform versions before 16 are vulnerable to cross-site request forgery (CSRF) attacks due to missing CSRF tokens. This allows attackers to trick authenticated users into performing unintended actions on the form management system. Organizations using Machform for web forms are affected.

💻 Affected Systems

Products:

Machform

Versions: All versions prior to 16

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of Machform prior to version 16 are vulnerable regardless of configuration.

📦 What is this software?

Machform by Machform

View all CVEs affecting Machform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create, modify, or delete forms, steal form submissions, or compromise the entire Machform installation by tricking administrators into executing malicious actions.

🟠

Likely Case

Attackers could submit fraudulent form data, manipulate existing forms, or steal sensitive information submitted through forms by exploiting authenticated user sessions.

🟢

If Mitigated

With proper CSRF protection, all authenticated requests would require valid tokens, preventing unauthorized actions even if users are tricked into visiting malicious sites.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks are well-understood and easy to implement. Exploitation requires the victim to be authenticated to Machform and visit a malicious page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 16

Vendor Advisory: https://www.machform.com/blog-machform-16-released/

Restart Required: No

Instructions:

1. Backup your current Machform installation and database. 2. Download Machform 16 from the official website. 3. Replace all files with the new version. 4. Run the update script if provided. 5. Test functionality.

🔧 Temporary Workarounds

Implement CSRF Protection Manually

all

Add CSRF tokens to all forms and validate them server-side

Use SameSite Cookies

all

Configure session cookies with SameSite=Strict attribute

Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block CSRF attempts
Require re-authentication for sensitive actions and implement additional confirmation steps

🔍 How to Verify

Check if Vulnerable:

Check Machform version in admin panel or by examining source files. Versions below 16 are vulnerable.

Check Version:

Check admin dashboard or examine /includes/version.php file

Verify Fix Applied:

After upgrading to version 16, test that all forms include CSRF tokens and validate them properly.

📡 Detection & Monitoring

Log Indicators:

Multiple form submissions from same user in rapid succession
Form actions without referrer headers or CSRF tokens

Network Indicators:

Requests to Machform endpoints with missing CSRF tokens from external referrers

SIEM Query:

source="machform.log" AND (action="submit" OR action="delete" OR action="create") AND NOT csrf_token=*

📊 Metadata

CVE ID: CVE-2021-20102

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: June 29, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20102, you might also want to check these: