CVE-2026-58143
Cotonti · Cotonti
Cotonti Siena is vulnerable to Cross-Site Request Forgery (CSRF) via the admin.php configuration update endpoint, potentially leading to unauthorized administrative actions.
Executive summary
A critical Cross-Site Request Forgery (CSRF) vulnerability in Cotonti Siena allows an unauthenticated attacker to execute unauthorized administrative actions via user interaction.
Vulnerability
The application lacks sufficient CSRF protection on the admin.php configuration update endpoint. By tricking an authenticated administrator into clicking a malicious link, an attacker can perform sensitive configuration changes without the administrator's knowledge.
Business impact
The CVSS score of 8.8 indicates a high risk, as this vulnerability allows an attacker to manipulate administrative settings remotely. If successful, this can lead to full system configuration compromise, potentially resulting in unauthorized administrative access or the injection of malicious content into the site.
Remediation
Immediate Action: Update to the latest version of Cotonti Siena that contains the necessary anti-CSRF token implementation for administrative endpoints.
Proactive Monitoring: Monitor administrative activity logs for configuration changes that were not initiated by authorized personnel during their active sessions.
Compensating Controls: Implement browser-based security headers and ensure that administrative sessions are protected by strict SameSite cookie policies.
Exploitation status
Public Exploit Available: false
Analyst recommendation
CSRF vulnerabilities impacting administrative endpoints are high-priority targets for attackers seeking to gain control over web applications. Administrators are strongly urged to update the software immediately and ensure that all administrative accounts are protected against unauthorized session hijacking.