CVE-2024-45264
Published: 27 August 2024
Summary
CVE-2024-45264 is a high-severity CSRF (CWE-352) vulnerability in Skyss Arfa-Cms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A cross-site request forgery vulnerability tracked as CVE-2024-45264 affects the administrative interface of SkySystem Arfa-CMS versions prior to 5.1.3124. The flaw, assigned CWE-352, permits an attacker to submit unauthorized requests that add a new administrator account without the victim's knowledge or interaction beyond visiting a malicious page.
An unauthenticated remote attacker can exploit the issue by crafting a web page or link that, when visited by an authenticated administrator, triggers the addition of a privileged account. Successful exploitation grants the attacker full administrative control over the CMS instance, enabling further actions such as content manipulation or persistence within the application.
The GitHub repository at https://github.com/TheHermione/CVE-2024-45264 and the vendor site at https://skyss.ru provide the primary references for the issue. The EPSS score has remained flat at 0.0928 with no observed increase following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41400
Vulnerability details
A cross-site request forgery (CSRF) vulnerability in the admin panel in SkySystem Arfa-CMS before 5.1.3124 allows remote attackers to add a new administrator, leading to escalation of privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in admin panel of public-facing CMS enables exploitation of public-facing application (T1190), creation of new administrator account (T1136), and privilege escalation (T1068).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.