Description
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action ('a=update') processes POST data via cot_config_update_options() without calling cot_check_xg() to validate the anti-CSRF token (the 'x' parameter), unlike other admin handlers (e.g. admin.structure.php, admin.cache.php). A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that modifies arbitrary core, module, or plugin configuration options, which can be leveraged to weaken security or enable further compromise.
Published: 2026-06-18
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cotonti 1.0.0 suffers from a Cross‑Site Request Forgery flaw in the administration configuration handler. The update action (`a=update`) accepts POST data through `cot_config_update_options()` without first validating the anti‑CSRF token parameter (`x`), unlike other admin handlers. This omission allows an attacker to force an authenticated administrator to submit a forged request that changes any core, module, or plugin configuration option. The resulting configuration changes can weaken security controls or facilitate further compromise. The weakness is catalogued as CWE‑352.

Affected Systems

The vulnerability affects the Cotonti content management system, specifically the master branch commit f43f1fc3 (version 1.0.0).

Risk and Exploitability

The CVSS v3.1 score is 8.7, indicating a high severity that grants the attacker the ability to alter system configuration with the permission of an authenticated admin. The EPSS score is less than 1%, suggesting that exploit attempts are currently rare, possibly due to the need to lure an administrator into visiting a malicious page. The vulnerability is not listed in CISA's KEV catalogue. The likely attack vector requires an attacker to convince a logged‑in administrator to load a malicious site, which then submits the forged POST request. If successful, the attacker can modify security‑relevant settings and pave the way for further intrusion. The absence of an exposed administrative API mitigates widespread automation of the exploit, but web‑based social engineering remains effective.

Generated by OpenCVE AI on June 18, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of Cotonti where the admin.config.php handler includes a call to `cot_check_xg()` before processing configuration updates.
  • If an update is not immediately available, manually edit `system/admin/admin.config.php` to add a call to `cot_check_xg()` after the admin check and before `cot_config_update_options()`; this enforces the presence of a CSRF token.
  • Restrict access to the administration console by limiting it to trusted IP addresses or a VPN, monitor configuration files for unauthorized changes, and consider disabling the 'update' action if it is not required.

Generated by OpenCVE AI on June 18, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action ('a=update') processes POST data via cot_config_update_options() without calling cot_check_xg() to validate the anti-CSRF token (the 'x' parameter), unlike other admin handlers (e.g. admin.structure.php, admin.cache.php). A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that modifies arbitrary core, module, or plugin configuration options, which can be leveraged to weaken security or enable further compromise.
Title Cotonti CSRF in admin.config.php allows unauthorized configuration changes
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-18T12:53:57.740Z

Reserved: 2026-06-17T12:59:17.621Z

Link: CVE-2026-55741

cve-icon Vulnrichment

Updated: 2026-06-18T12:53:52.851Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)