CVE-2024-26350 – Flusity-CMS v2.33 contains a Cross-Site Request... (How to Fix)

Q: What is the severity of CVE-2024-26350?

CVE-2024-26350 has a CVSS score of 8.8 (HIGH). Flusity-CMS v2.33 contains a Cross-Site Request Forgery vulnerability in the contact form settings update component. This allows attackers to trick authenticated administrators into making unauthorized changes to contact form configurations. All users running the vulnerable version are affected.

📋 TL;DR

Flusity-CMS v2.33 contains a Cross-Site Request Forgery vulnerability in the contact form settings update component. This allows attackers to trick authenticated administrators into making unauthorized changes to contact form configurations. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

flusity-CMS

Versions: v2.33

Operating Systems: All operating systems running the CMS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the vulnerable version; requires administrator authentication to exploit but bypasses authentication via CSRF.

📦 What is this software?

Flusity by Flusity

View all CVEs affecting Flusity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify contact forms to capture sensitive user data, redirect form submissions to malicious servers, or disable legitimate contact functionality entirely.

🟠

Likely Case

Unauthorized changes to contact form settings leading to data leakage, spam injection, or disruption of legitimate contact functionality.

🟢

If Mitigated

With proper CSRF protections, the vulnerability would be prevented as legitimate requests would require valid anti-CSRF tokens.

🌐 Internet-Facing: HIGH - The vulnerable component is accessible via web interface and affects internet-facing CMS installations.

🏢 Internal Only: MEDIUM - Internal deployments are still vulnerable to attacks from within the network perimeter.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking an authenticated administrator into visiting a malicious page; CSRF attacks are well-understood and easy to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

1. Check for updated version from official sources. 2. If available, backup current installation. 3. Apply update following vendor instructions. 4. Verify CSRF protections are implemented.

🔧 Temporary Workarounds

Implement CSRF Protection

all

Add CSRF tokens to the vulnerable endpoint and validate them on the server side.

Modify /core/tools/update_contact_form_settings.php to include and validate CSRF tokens

Restrict Access

all

Implement additional authentication requirements or IP restrictions for the vulnerable endpoint.

Add IP whitelisting or multi-factor authentication for admin functions

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block CSRF attempts
Monitor administrator sessions for unusual activity and implement session timeouts

🔍 How to Verify

Check if Vulnerable:

Check if running flusity-CMS version 2.33 and examine /core/tools/update_contact_form_settings.php for CSRF token validation.

Check Version:

Check CMS version in admin panel or configuration files

Verify Fix Applied:

Test that POST requests to the vulnerable endpoint require and validate CSRF tokens.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /core/tools/update_contact_form_settings.php without referrer headers or CSRF tokens
Unusual contact form configuration changes

Network Indicators:

HTTP requests to vulnerable endpoint with suspicious referrer domains
Patterns of requests matching CSRF attack signatures

SIEM Query:

source="web_server" AND (uri="/core/tools/update_contact_form_settings.php" AND method="POST") AND NOT (referrer CONTAINS "yourdomain.com")

📊 Metadata

CVE ID: CVE-2024-26350

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: February 22, 2024

Last Updated: March 28, 2025

🔗 References

https://github.com/Icycu123/cms/blob/main/2.md Exploit,Third Party Advisory
https://github.com/Icycu123/cms/blob/main/2.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26350, you might also want to check these: