Login Sign Up

CVE-2021-36443

8.8 HIGH
Authentication Bypass CSRF

📋 TL;DR

This Cross-Site Request Forgery (CSRF) vulnerability in imcat 5.4 allows attackers to trick authenticated users into performing unintended actions, potentially leading to privilege escalation. It affects all users of imcat 5.4 who have administrative or user accounts. The vulnerability exists due to missing anti-CSRF token verification in the application.

💻 Affected Systems

Products:
  • imcat
Versions: 5.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of imcat 5.4 are vulnerable regardless of configuration. The vulnerability affects the web interface component.

📦 What is this software?

Imcat by Txjia

View all CVEs affecting Imcat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could escalate privileges to gain administrative access, modify system settings, create new admin accounts, or compromise the entire application.

🟠

Likely Case

Attackers trick authenticated users into performing actions like changing passwords, modifying user permissions, or altering application settings without their knowledge.

🟢

If Mitigated

With proper CSRF protections, the application would reject unauthorized requests even if users are tricked into clicking malicious links.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

CSRF attacks are well-understood and easy to implement. The GitHub issue shows proof of concept. Exploitation requires the victim to be authenticated and visit a malicious page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5 or later

Vendor Advisory: https://github.com/peacexie/imcat/issues/9

Restart Required: No

Instructions:

1. Upgrade imcat to version 5.5 or later. 2. Verify the update includes CSRF token implementation. 3. Test critical functionality after upgrade.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Manually add CSRF token validation to all state-changing endpoints

SameSite Cookie Attribute

all

Set SameSite=Strict or SameSite=Lax on session cookies to limit CSRF attacks

Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to detect and block CSRF patterns
  • Restrict administrative access to specific IP addresses or networks only

🔍 How to Verify

Check if Vulnerable:

Check if your imcat version is 5.4. Review application code for missing CSRF token validation on form submissions and state-changing requests.

Check Version:

Check imcat configuration files or admin panel for version information

Verify Fix Applied:

After patching, test that all forms and state-changing endpoints require and validate CSRF tokens. Use browser developer tools to verify token presence.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed state-changing requests from same IP
  • Unusual privilege changes or admin actions

Network Indicators:

  • HTTP POST requests without Referer headers matching origin
  • Requests with missing CSRF tokens

SIEM Query:

source="web_logs" AND (action="admin_change" OR action="privilege_escalation") AND referer NOT CONTAINS "yourdomain.com"

📊 Metadata

CVE ID: CVE-2021-36443
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: February 3, 2023
Last Updated: March 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36443, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)