CVE-2020-37241: bloofoxCMS CSRF Vulnerability

CVE-2020-37241 Overview

CVE-2020-37241 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] in bloofoxCMS 0.5.2.1. The flaw resides in the administrative user creation endpoint, which does not validate the origin of state-changing requests. Attackers can craft hidden HTML forms that submit to the admin panel when an authenticated administrator visits a malicious page. The forged request creates a new administrative account with attacker-controlled credentials, granting persistent access to the content management system.

Critical Impact
Successful exploitation results in the creation of an arbitrary administrator account, giving attackers full control over the affected bloofoxCMS installation.

Affected Products

bloofoxCMS version 0.5.2.1
The administrative user add functionality in bloofoxCMS
Web servers hosting vulnerable bloofoxCMS deployments

Discovery Timeline

2026-05-16 - CVE-2020-37241 published to NVD
2026-05-18 - Last updated in NVD database

Technical Details for CVE-2020-37241

Vulnerability Analysis

The vulnerability stems from the absence of anti-CSRF protection on the administrative user creation endpoint in bloofoxCMS. The application accepts POST requests to add new users without verifying a per-session CSRF token or validating the Origin and Referer headers. An authenticated administrator who visits an attacker-controlled page triggers the malicious request automatically, with the browser supplying valid session cookies. The server processes the forged request as legitimate administrative activity. Public exploitation details are documented in Exploit-DB #49507 and the VulnCheck Advisory on CSRF.

Root Cause

The root cause is a missing synchronizer token pattern on state-changing administrative requests. The user creation handler relies solely on session cookies for authorization. Because cookies are sent automatically by browsers on cross-origin form submissions, the endpoint cannot distinguish between a request initiated by the administrator and one forged by a remote attacker.

Attack Vector

The attack requires an authenticated bloofoxCMS administrator to visit an attacker-controlled web page or click a malicious link while logged in. The attacker hosts a page containing a hidden form that auto-submits via JavaScript to the bloofoxCMS administrative endpoint responsible for adding users. The form supplies parameters such as username, password, email, and role. When the administrator's browser submits the form, the application creates a new administrator account using the attacker-supplied values. The attacker then logs in with those credentials and gains full administrative control. No memory corruption or code execution primitive is required; the issue is purely a missing origin-validation control.

Detection Methods for CVE-2020-37241

Indicators of Compromise

Unexpected administrator accounts present in the bloofoxCMS user table that were not provisioned by legitimate staff.
Web server access logs showing POST requests to the administrative user-add endpoint with Referer headers pointing to external or unfamiliar domains.
Successful admin logins from new accounts shortly after a session was observed browsing unrelated external sites.

Detection Strategies

Audit the bloofoxCMS users database table regularly and compare the administrator list against an approved baseline.
Inspect HTTP server logs for POST requests to administrative endpoints lacking a same-origin Referer or Origin header.
Alert on any creation of a new account with administrative role privileges outside of approved change windows.

Monitoring Recommendations

Forward web server and application logs to a centralized log platform and create rules for administrative privilege changes.
Track the rate of new account creation events and trigger investigation when accounts are created from browser sessions immediately after external navigation.
Monitor outbound web traffic from administrator workstations for requests to known malicious hosts that could host CSRF payloads.

How to Mitigate CVE-2020-37241

Immediate Actions Required

Restrict access to the bloofoxCMS administrative panel using network-level controls such as IP allowlists or VPN-only access.
Require administrators to log out of the CMS before browsing unrelated web content, and use a dedicated browser profile for administrative tasks.
Review all existing administrator accounts and remove any that cannot be tied to an authorized user.

Patch Information

No vendor-supplied patch is referenced in the available advisories for bloofoxCMS 0.5.2.1. Refer to the GitHub Release 0.5.2.1 page and the Bloofox Official Website for any newer releases that introduce CSRF token validation. Organizations should upgrade to a fixed release when one becomes available or migrate to a maintained CMS.

Workarounds

Place the bloofoxCMS administrative interface behind a reverse proxy that enforces strict Referer and Origin header checks for state-changing requests.
Deploy a web application firewall (WAF) rule that blocks POST requests to the user-add endpoint when the Origin header is not the CMS hostname.
Set session cookies with the SameSite=Strict attribute at the reverse proxy layer to prevent the browser from sending the session cookie on cross-site form submissions.

bash

# Example nginx configuration enforcing same-origin on admin user-add endpoint
location /admin/include/inc_user.php {
    if ($http_origin !~* ^https?://cms\.example\.com$) {
        return 403;
    }
    if ($request_method = POST) {
        if ($http_referer !~* ^https?://cms\.example\.com/) {
            return 403;
        }
    }
    proxy_pass http://bloofox_backend;
    proxy_cookie_path / "/; SameSite=Strict; HttpOnly";
}