CVE-2024-51157 – This CSRF vulnerability in 07FLYCMS V1.3.9 allo... (How to Fix)

Q: What is the severity of CVE-2024-51157?

CVE-2024-51157 has a CVSS score of 4.7 (MEDIUM). This CSRF vulnerability in 07FLYCMS V1.3.9 allows attackers to trick authenticated users into performing unauthorized actions by visiting malicious web pages. It affects all users of the vulnerable version who have access to the OaSchedule/add.html component. The attack requires the victim to be logged into the application.

📋 TL;DR

This CSRF vulnerability in 07FLYCMS V1.3.9 allows attackers to trick authenticated users into performing unauthorized actions by visiting malicious web pages. It affects all users of the vulnerable version who have access to the OaSchedule/add.html component. The attack requires the victim to be logged into the application.

💻 Affected Systems

Products:

07FLYCMS

Versions: V1.3.9

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability specifically affects the OaSchedule/add.html component at the specified URL path.

📦 What is this software?

07flycms by 07fly

View all CVEs affecting 07flycms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could create, modify, or delete schedule entries in the OA system, potentially disrupting business operations or inserting malicious content.

🟠

Likely Case

Attackers could create fake schedule entries or modify existing ones, causing confusion or minor operational disruption.

🟢

If Mitigated

With proper CSRF protections, no unauthorized actions can be performed even if users visit malicious pages.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks are well-understood and easy to implement. The victim must be authenticated and visit a malicious page while logged in.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement CSRF tokens in all state-changing endpoints, particularly OaSchedule/add.html.

🔧 Temporary Workarounds

Implement CSRF Protection

all

Add CSRF tokens to all forms and validate them server-side

SameSite Cookie Attribute

all

Set SameSite=Strict or Lax on session cookies to prevent CSRF

🧯 If You Can't Patch

Implement WAF rules to detect and block CSRF attempts
Educate users about not clicking suspicious links while authenticated

🔍 How to Verify

Check if Vulnerable:

Check if OaSchedule/add.html endpoint lacks CSRF token validation by inspecting form submissions

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that all POST requests to OaSchedule/add.html include and validate CSRF tokens

📡 Detection & Monitoring

Log Indicators:

Multiple schedule additions from same user in short time
Schedule entries with suspicious content

Network Indicators:

POST requests to OaSchedule/add.html without Referer header or CSRF tokens

SIEM Query:

source="web_logs" AND uri="/oa/OaSchedule/add.html" AND method="POST" AND NOT csrf_token=*

📊 Metadata

CVE ID: CVE-2024-51157

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

CWE: CWE-352

Published: November 8, 2024

Last Updated: April 18, 2025

🔗 References

https://github.com/xiaoyunzhui/cms/blob/main/2/readme.md Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51157, you might also want to check these: