CVE-2021-25976
HIGH
Published Nov 16, 20214y ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
Published Nov 16, 2021 4y ago
Last Modified Jun 17, 2026 1w ago
Description
In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability High
Threat Intelligence
No active exploitation signals — not in CISA KEV and no EPSS score yet.
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-352 Cross-Site Request Forgery (CSRF) Authentication
Affected Products 12
| Vendor | Product | Version | Range |
|---|---|---|---|
| dotnetfoundation | piranha_cms | * | ≥4.0.1 – ≤9.2 |
| dotnetfoundation | piranha_cms | 4.0.0 | any |
| dotnetfoundation | piranha_cms | 4.0.0 | any |
| dotnetfoundation | piranha_cms | 4.0.0 | any |
| dotnetfoundation | piranha_cms | 4.0.0 | any |
| dotnetfoundation | piranha_cms | 4.0.0 | any |
| dotnetfoundation | piranha_cms | 4.0.0 | any |
| dotnetfoundation | piranha_cms | 4.0.0 | any |
| dotnetfoundation | piranha_cms | 4.0.0 | any |
| dotnetfoundation | piranha_cms | 4.0.0 | any |
| dotnetfoundation | piranha_cms | 4.0.0 | any |
| dotnetfoundation | piranha_cms | 4.0.0 | any |
References 2
- github.com https://github.com/PiranhaCMS/piranha.core/commit/e42abacdd0dd880ce9cf6607efcc24646ac82eda
- whitesourcesoftware.com https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25976
Remediation
- github.com https://github.com/PiranhaCMS/piranha.core/commit/e42abacdd0dd880ce9cf6607efcc24646ac82eda