CVE-2023-36237 – This Cross-Site Request Forgery (CSRF) vulnerab... (How to Fix)

Q: What is the severity of CVE-2023-36237?

CVE-2023-36237 has a CVSS score of 8.8 (HIGH). This Cross-Site Request Forgery (CSRF) vulnerability in Bagisto e-commerce platform allows attackers to trick authenticated users into executing malicious actions without their consent. Attackers can craft HTML scripts that perform arbitrary actions when victims visit malicious pages while logged into Bagisto. All Bagisto installations before version 1.5.1 are affected.

📋 TL;DR

This Cross-Site Request Forgery (CSRF) vulnerability in Bagisto e-commerce platform allows attackers to trick authenticated users into executing malicious actions without their consent. Attackers can craft HTML scripts that perform arbitrary actions when victims visit malicious pages while logged into Bagisto. All Bagisto installations before version 1.5.1 are affected.

💻 Affected Systems

Products:

Bagisto

Versions: All versions before 1.5.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. Requires user to be authenticated and visit malicious page.

📦 What is this software?

Bagisto by Webkul

View all CVEs affecting Bagisto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Bagisto instance where attackers can execute arbitrary code, potentially leading to data theft, account takeover, or complete system control.

🟠

Likely Case

Attackers trick administrators into performing unauthorized actions like creating new admin accounts, changing configurations, or modifying product data.

🟢

If Mitigated

Limited impact with proper CSRF protections, though some functionality might still be vulnerable if not properly implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to be authenticated and visit a malicious page. CSRF attacks are well-understood and easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.1 and later

Vendor Advisory: https://github.com/bagisto/bagisto

Restart Required: No

Instructions:

1. Backup your current installation. 2. Update Bagisto to version 1.5.1 or later via composer: 'composer require bagisto/bagisto'. 3. Run database migrations if required. 4. Clear cache: 'php artisan cache:clear'.

🔧 Temporary Workarounds

Implement CSRF Token Validation

all

Manually add CSRF token validation to all state-changing endpoints

Add '@csrf' directive to forms in Blade templates
Verify CSRF tokens in controller methods

SameSite Cookie Enforcement

all

Configure session cookies with SameSite=Strict attribute

Set 'session.cookie_samesite' to 'Strict' in config/session.php

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block CSRF attempts
Restrict administrative access to trusted networks only and implement multi-factor authentication

🔍 How to Verify

Check if Vulnerable:

Check Bagisto version in composer.json or via admin panel. If version is below 1.5.1, system is vulnerable.

Check Version:

php artisan --version or check composer.json for 'bagisto/bagisto' version

Verify Fix Applied:

Verify version is 1.5.1 or higher and test CSRF protection by attempting to submit forms without valid tokens.

📡 Detection & Monitoring

Log Indicators:

Multiple failed CSRF token validations
Unexpected administrative actions from unusual IPs

Network Indicators:

POST requests without Referer headers or CSRF tokens
Requests from external sites to administrative endpoints

SIEM Query:

source=web_logs (action="admin_" OR endpoint="/admin/") AND (csrf_token=null OR csrf_token="")

📊 Metadata

CVE ID: CVE-2023-36237

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: February 26, 2024

Last Updated: April 11, 2025

🔗 References

https://github.com/Ek-Saini/security/blob/main/CSRF-Bagisto Exploit,Third Party Advisory
https://github.com/Ek-Saini/security/blob/main/CSRF-Bagisto Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36237, you might also want to check these: