Description
bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts with arbitrary credentials without requiring explicit user consent.
Published: 2026-05-16
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to trick a logged‑in administrator into submitting a hidden form that creates a new user with full administrative rights. This is a classic CSRF flaw, classified as CWE‑352, that permits the addition of accounts with arbitrary credentials without explicit user permission, thereby enabling privilege escalation and compromising administrative control.

Affected Systems

All installations of bloofoxCMS that are running version 0.5.2.1 are affected. No other product versions are listed as impacted.

Risk and Exploitability

With a CVSS score of 6.9 the risk is moderate to high. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. An attacker must obtain a logged‑in user’s session to exploit the flaw; the attack is typically carried out by hosting a malicious page that triggers the hidden form submission. Because the vulnerability relies on standard CSRF techniques, exploitation probability is considered moderate.

Generated by OpenCVE AI on May 16, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade bloofoxCMS to a version that removes the CSRF flaw on the admin user creation endpoint.
  • Configure the CMS to require CSRF tokens for all administrative POST requests, ensuring that cross‑origin requests are rejected.
  • Restrict access to the user‑creation endpoint to authenticated administrators only, and verify that the requester’s session is active before processing the request.

Generated by OpenCVE AI on May 16, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts with arbitrary credentials without requiring explicit user consent.
Title bloofoxCMS 0.5.2.1 Cross-Site Request Forgery via user add
First Time appeared Bloofox
Bloofox bloofoxcms
Weaknesses CWE-352
CPEs cpe:2.3:a:bloofox:bloofoxcms:0.1.0:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.1.1:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.1.2:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.1.3:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.2.0:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.2.1:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.2.2:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.2.3:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.3.1:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.3.2:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.3.3:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.3.4:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.3.5:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.4.1:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.5.1:*:*:*:*:*:*:*
cpe:2.3:a:bloofox:bloofoxcms:0.5.2.1:*:*:*:*:*:*:*
Vendors & Products Bloofox
Bloofox bloofoxcms
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Bloofox Bloofoxcms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:28:04.200Z

Reserved: 2026-05-15T14:57:57.144Z

Link: CVE-2020-37241

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:20.350

Modified: 2026-05-16T16:16:20.350

Link: CVE-2020-37241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T18:30:28Z

Weaknesses