CVE-2022-47132
📋 TL;DR
This CSRF vulnerability in Academy LMS allows attackers to add unauthorized administrator accounts by tricking authenticated administrators into clicking malicious links. All Academy LMS instances running versions before 5.10 are affected, potentially giving attackers full administrative control over the learning management system.
💻 Affected Systems
- Academy LMS
📦 What is this software?
Academy Lms by Creativeitem
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Academy LMS instance with attackers gaining administrative privileges, allowing them to modify courses, access sensitive student data, install backdoors, or delete the entire system.
Likely Case
Attackers create hidden administrator accounts to maintain persistent access, potentially leading to data theft, system manipulation, or further exploitation of the compromised platform.
If Mitigated
With proper CSRF protections and user awareness, exploitation attempts fail, maintaining system integrity and preventing unauthorized administrative access.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator into clicking a malicious link or visiting a compromised website while logged into Academy LMS.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.10 and later
Vendor Advisory: https://xpsec.co/blog/academy-lms-5-10-add-admin-csrf
Restart Required: No
Instructions:
1. Backup your Academy LMS database and files. 2. Download Academy LMS version 5.10 or later from the official source. 3. Replace all files with the new version while preserving configuration files. 4. Run any database update scripts if provided. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
CSRF Token Implementation
allManually add CSRF tokens to all administrative forms and validate them server-side
SameSite Cookie Attribute
allConfigure session cookies with SameSite=Strict attribute to prevent CSRF attacks
Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block CSRF attempts
- Require re-authentication for all administrative actions and implement multi-factor authentication
🔍 How to Verify
Check if Vulnerable:
Check Academy LMS version in admin panel or by examining the software files. If version is below 5.10, the system is vulnerable.Check Version:
Check admin dashboard or examine version.php file in Academy LMS installation directoryVerify Fix Applied:
After updating to 5.10 or later, test administrative functions to ensure CSRF tokens are present and validated. Attempt to reproduce the exploit using the published PoC to confirm it fails.📡 Detection & Monitoring
Log Indicators:
- Multiple administrator account creation attempts from same IP
- Administrative actions without corresponding user session activity
- POST requests to user creation endpoints without CSRF tokens
Network Indicators:
- HTTP POST requests to /admin/user/create or similar endpoints without Referer headers or CSRF tokens
- Unusual traffic patterns where administrative actions follow visits to external sites
SIEM Query:
source="academy_lms_logs" AND (event="user_created" OR event="admin_added") AND NOT csrf_token=*