Description
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action ('a=update') modifies group access rights (including via cot_auth_add_group) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that grants elevated permissions to an attacker-controlled group, escalating privileges to administrator. Because Cotonti administrators can modify templates and configuration, this can be further leveraged toward remote code execution.
Published: 2026-06-18
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw exists in the Cotonti administration rights handler, allowing a remote attacker to trick a logged‑in administrator into submitting a forged request that grants the attacker control over a group with administrative privileges. The lack of CSRF token validation in the update action lets an attacker elevate privileges to administrator level. With administrator access to templates and configuration, this flaw can be used as an initial foothold for remote code execution.

Affected Systems

The vulnerability affects the Cotonti content management system, version 1.0.0 based on the master branch commit f43f1fc3. Any deployment running this branch or earlier without the patch is susceptible.

Risk and Exploitability

The flaw carries a CVSS score of 9.4, indicating critical severity. The EPSS score is below 1%, meaning the likelihood of exploitation in the wild is currently low, and it is not listed in CISA’s KEV catalog. Nonetheless, the attack vector is straightforward: a malicious site can force a victim admin’s browser to submit the forged request, making it a practical risk for sites with exposed or internet‑accessible admin interfaces.

Generated by OpenCVE AI on June 18, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Cotonti to a version that includes the CSRF fix (commit f43f1fc3 or later).
  • Restrict administration access to trusted IP ranges or a VPN to limit exposure to CSRF payloads from untrusted origins.
  • Enforce stricter authentication for administrators, such as two‑factor authentication or mandatory logout after administrative sessions.

Generated by OpenCVE AI on June 18, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action ('a=update') modifies group access rights (including via cot_auth_add_group) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that grants elevated permissions to an attacker-controlled group, escalating privileges to administrator. Because Cotonti administrators can modify templates and configuration, this can be further leveraged toward remote code execution.
Title Cotonti CSRF in admin.rights.php allows privilege escalation
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-18T12:54:36.833Z

Reserved: 2026-06-17T12:59:17.621Z

Link: CVE-2026-55742

cve-icon Vulnrichment

Updated: 2026-06-18T12:54:32.368Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)