Description
Snews CMS 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials without authentication by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that submits POST requests to the changeup action, modifying the admin username and password parameters to gain unauthorized access.
Published: 2026-04-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized change of administrator credentials
Action: Apply Patch
AI Analysis

Impact

Snews CMS version 1.7 contains a cross‑site request forgery vulnerability that permits an attacker to modify the administrator username and password without authenticating. By delivering a crafted HTML form that submits POST data to the changeup action, a malicious page can force an authenticated administrator to unknowingly change their own credentials. The resulting unauthorized access compromises the confidentiality and control of the CMS administrative interface.

Affected Systems

Snewscms Snews CMS version 1.7 is adversely affected by this vulnerability; other unlisted versions are not confirmed to be vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9 and an EPSS score below 1 %, indicating a moderate severity and a low likelihood of exploitation. It is suggested that the attack vector is a web‑based CSRF, requiring a user who is already logged in as an administrator to visit a malicious page. Since the exploit relies on user interaction with a forged form, the practical risk is limited but still significant due to the potential loss of administrative control.

Generated by OpenCVE AI on April 14, 2026 at 21:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Snewscms website or vendor support for a patch or updated release that addresses the CSRF flaw and install it promptly.
  • If a patch is unavailable, configure the CMS so that state‑changing actions such as changing credentials require a CSRF token that the attacker cannot forge.
  • Enable multi‑factor authentication for all administrator accounts to reduce the risk of compromised credentials being exploited immediately.
  • Use a web application firewall or similar mechanism to block or scrutinize POST requests to the changeup endpoint that lack valid authentication or CSRF protection.

Generated by OpenCVE AI on April 14, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:snewscms:snews:*:*:*:*:*:*:*:*

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Snews CMS 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials without authentication by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that submits POST requests to the changeup action, modifying the admin username and password parameters to gain unauthorized access.
Title Snews CMS 1.7 Cross-Site Request Forgery via changeup
First Time appeared Snewscms
Snewscms snews
Weaknesses CWE-352
CPEs cpe:2.3:a:snewscms:snews:1.7:*:*:*:*:*:*:*
Vendors & Products Snewscms
Snewscms snews
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Snewscms Snews
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T17:56:34.643Z

Reserved: 2026-04-04T13:32:48.661Z

Link: CVE-2016-20051

cve-icon Vulnrichment

Updated: 2026-04-06T17:56:22.331Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T14:16:17.370

Modified: 2026-04-14T19:04:50.897

Link: CVE-2016-20051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses