Technical
Advisory

Through sharp, technical and insightful analysis, the Payatu Team is constantly on the lookout for vulnerabilities and threats. This section exhibits a few of our findings.

...
...

Vulnerability

PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/addons/uninstall/anomaly.module.blocks URI: an arbitrary plugin will be deleted.

Vulnerability Description

The PyroCMS is vulnerable to cross-site request forgery (CSRF). Due to action is performed via GET request. An attacker can leverage this vulnerability by creating a page (which has malicious request) and host this page on his server and share this page to victims through social engineering methods. Once the victims who are already authenticated to the PyroCMS, click upon the page, unintended actions will be performed on the victim’s behalf and the arbitrary plugin will be deleted.

CVE-ID

CVE-2020-25263

Vendor

PyroCMS

Product

PyroCMS >= 3.7 version

Disclosure Timeline

  1. 20 June 2020 reported to the vendor
  2. 10 October 2020 CVE published

Credits

Farid Luhar