CVE-2026-58143

Cotonti · Cotonti

Cotonti Siena is vulnerable to Cross-Site Request Forgery (CSRF) via the admin.php configuration update endpoint, potentially leading to unauthorized administrative actions.

Executive summary

A critical Cross-Site Request Forgery (CSRF) vulnerability in Cotonti Siena allows an unauthenticated attacker to execute unauthorized administrative actions via user interaction.

Vulnerability

The application lacks sufficient CSRF protection on the admin.php configuration update endpoint. By tricking an authenticated administrator into clicking a malicious link, an attacker can perform sensitive configuration changes without the administrator's knowledge.

Business impact

The CVSS score of 8.8 indicates a high risk, as this vulnerability allows an attacker to manipulate administrative settings remotely. If successful, this can lead to full system configuration compromise, potentially resulting in unauthorized administrative access or the injection of malicious content into the site.

Remediation

Immediate Action: Update to the latest version of Cotonti Siena that contains the necessary anti-CSRF token implementation for administrative endpoints.

Proactive Monitoring: Monitor administrative activity logs for configuration changes that were not initiated by authorized personnel during their active sessions.

Compensating Controls: Implement browser-based security headers and ensure that administrative sessions are protected by strict SameSite cookie policies.

Exploitation status

Public Exploit Available: false

Analyst recommendation

CSRF vulnerabilities impacting administrative endpoints are high-priority targets for attackers seeking to gain control over web applications. Administrators are strongly urged to update the software immediately and ensure that all administrative accounts are protected against unauthorized session hijacking.