CVE-2024-36548 – This CSRF vulnerability in idccms V1.35 allows ... (How to Fix)

Q: What is the severity of CVE-2024-36548?

CVE-2024-36548 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in idccms V1.35 allows attackers to trick authenticated administrators into performing unauthorized actions, specifically deleting company records via the admin interface. Any idccms V1.35 installation with administrative access is affected. Attackers can exploit this by luring administrators to malicious web pages.

📋 TL;DR

This CSRF vulnerability in idccms V1.35 allows attackers to trick authenticated administrators into performing unauthorized actions, specifically deleting company records via the admin interface. Any idccms V1.35 installation with administrative access is affected. Attackers can exploit this by luring administrators to malicious web pages.

💻 Affected Systems

Products:

idccms

Versions: V1.35

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative access to be exploited. The vulnerability is in the admin interface.

📦 What is this software?

Idccms by Idccms

View all CVEs affecting Idccms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete data loss through deletion of critical company records, potential business disruption, and unauthorized administrative actions leading to system compromise.

🟠

Likely Case

Unauthorized deletion of company data, requiring restoration from backups and causing temporary service disruption.

🟢

If Mitigated

No impact if proper CSRF protections are implemented or if administrators avoid clicking suspicious links.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to be logged in as an administrator and visit a malicious page. The exploit is simple and well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement CSRF tokens in admin/vpsCompany_deal.php.

🔧 Temporary Workarounds

Implement CSRF Protection

all

Add CSRF tokens to the vulnerable endpoint admin/vpsCompany_deal.php

Edit admin/vpsCompany_deal.php to include CSRF token validation

Restrict Admin Access

all

Limit admin panel access to trusted IP addresses only

Add IP whitelisting rules to web server configuration

🧯 If You Can't Patch

Implement strict SameSite cookie policies and require re-authentication for sensitive actions
Monitor admin activity logs for unauthorized deletion attempts and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check if admin/vpsCompany_deal.php lacks CSRF token validation when handling delete requests (mudi=del).

Check Version:

Check CMS version in configuration files or admin panel

Verify Fix Applied:

Verify that CSRF tokens are properly validated before processing delete requests in admin/vpsCompany_deal.php.

📡 Detection & Monitoring

Log Indicators:

Multiple DELETE requests to admin/vpsCompany_deal.php from unusual sources
Unauthorized deletion of company records

Network Indicators:

HTTP POST requests to admin/vpsCompany_deal.php with mudi=del parameter from unexpected referrers

SIEM Query:

source="web_logs" AND uri="/admin/vpsCompany_deal.php" AND params="mudi=del" AND referrer NOT CONTAINS "trusted-domain"

📊 Metadata

CVE ID: CVE-2024-36548

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: June 4, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36548, you might also want to check these: