PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the admin/pages/delete/ URI: pages will be deleted.
The PyroCMS is vulnerable to cross-site request forgery (CSRF). Due to action is performed via GET request. An attacker can leverage this vulnerability by creating a form and host this form on his server and share this link to victims through social engineering methods. Once the victims who are already authenticated to the PyroCMS, click upon the link, unintended actions will be performed on the victim’s behalf and Pages will be deleted.
PyroCMS >=3.7 version
- 20 June 2020 reported to the vendor
- 10 October 2020 CVE published