Description
SemCms 5.0 is vulnerable to Cross Site Request Forgery (CSRF) via crafted POST request to /admin/semcms_user.php.
Published: 2026-06-09
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SemCms 5.0 is vulnerable to Cross‑Site Request Forgery through a crafted POST request to the /admin/semcms_user.php endpoint. An attacker who can subvert a user's authenticated session could manipulate or create user accounts without authorization, potentially leading to privilege escalation or denial of service within the application. The weakness stems from insufficient validation of the request source, allowing an attacker to force the victim’s browser to send state‑changing requests.

Affected Systems

The vulnerability affects SemCms version 5.0. No additional vendor or version details are provided, and the CPE information is unavailable.

Risk and Exploitability

The lack of EPSS data and a KEV listing suggest no current evidence of widespread exploitation, but the high impact of CSRF in a web application involving sensitive admin functions means that exploitation could occur from any HTTP client with the victim’s cookies. The attack vector is network‑based, reliant on a victim’s authenticated session and the absence of CSRF tokens or proper origin checks.

Generated by OpenCVE AI on June 9, 2026 at 21:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Enable CSRF protection on /admin/semcms_user.php, ensuring a valid anti‑CSRF token is required for all state‑changing requests.
  • Restrict access to admin endpoints to authenticated users and enforce strict role checks before processing the request.
  • Set the SameSite=Strict attribute on session cookies to prevent cross‑site requests from being sent automatically.
  • As a temporary measure, require a password confirmation or an additional authentication step for critical actions until a permanent patch is applied.

Generated by OpenCVE AI on June 9, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery via Crafted POST to Admin Endpoint in SemCms 5.0

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description SemCms 5.0 is vulnerable to Cross Site Request Forgery (CSRF) via crafted POST request to /admin/semcms_user.php.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-09T19:37:56.008Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39170

cve-icon Vulnrichment

Updated: 2026-06-09T19:37:49.688Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T19:17:48.307

Modified: 2026-06-09T21:17:11.797

Link: CVE-2026-39170

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T21:45:05Z

Weaknesses