CVE-2021-36570 – This CSRF vulnerability in FUEL-CMS allows atta... (How to Fix)

Q: What is the severity of CVE-2021-36570?

CVE-2021-36570 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in FUEL-CMS allows attackers to trick authenticated administrators into executing unauthorized actions, specifically deleting permissions via crafted requests. Any FUEL-CMS installation with admin access is affected, potentially leading to privilege escalation or system compromise.

📋 TL;DR

This CSRF vulnerability in FUEL-CMS allows attackers to trick authenticated administrators into executing unauthorized actions, specifically deleting permissions via crafted requests. Any FUEL-CMS installation with admin access is affected, potentially leading to privilege escalation or system compromise.

💻 Affected Systems

Products:

FUEL-CMS

Versions: 1.4.13 and possibly earlier versions

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin authentication but can be exploited via CSRF when admin is logged in.

📦 What is this software?

Fuel Cms by Thedaylightstudio

View all CVEs affecting Fuel Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete critical permissions, gain administrative access, and execute arbitrary code leading to complete system takeover.

🟠

Likely Case

Unauthorized deletion of permissions causing privilege escalation or disruption of normal administrative functions.

🟢

If Mitigated

Limited impact with proper CSRF protections and admin session management in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires tricking authenticated admin to visit malicious page or click crafted link.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.14 or later

Vendor Advisory: https://github.com/daylightstudio/FUEL-CMS/issues/579

Restart Required: No

Instructions:

1. Backup current installation. 2. Update to FUEL-CMS 1.4.14 or later. 3. Verify CSRF tokens are properly implemented in all forms.

🔧 Temporary Workarounds

Implement CSRF Protection

all

Add CSRF tokens to all forms and validate them server-side

Modify application code to include and validate CSRF tokens

Restrict Admin Access

all

Limit admin panel access to specific IP addresses or networks

Add IP restrictions in .htaccess or web server configuration

🧯 If You Can't Patch

Implement strict SameSite cookie policies and require re-authentication for sensitive actions
Monitor admin activity logs for unauthorized permission deletion attempts

🔍 How to Verify

Check if Vulnerable:

Check if FUEL-CMS version is 1.4.13 or earlier and lacks CSRF protection on /permissions/delete endpoint

Check Version:

Check FUEL-CMS version in application configuration or admin panel

Verify Fix Applied:

Verify version is 1.4.14+ and test that CSRF tokens are required for permission deletion

📡 Detection & Monitoring

Log Indicators:

Multiple permission deletion requests from same session
Admin actions without proper referrer headers

Network Indicators:

POST requests to /permissions/delete/ without CSRF tokens
Cross-origin requests to admin endpoints

SIEM Query:

source="web_logs" AND (uri="/permissions/delete/*" AND NOT csrf_token=*)

📊 Metadata

CVE ID: CVE-2021-36570

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: February 3, 2023

Last Updated: March 26, 2025

🔗 References

https://github.com/daylightstudio/FUEL-CMS/issues/579 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/daylightstudio/FUEL-CMS/issues/579 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36570, you might also want to check these: