← back
CVE-2016-20051

Snews CMS 1.7 Cross-Site Request Forgery via changeup

CVSS 6.9 MEDIUMEPSS 0.2%CWE-352
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 6.9EPSS 0.2%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
04 Apr 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Snews CMS 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials without authentication by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that submits POST requests to the changeup action, modifying the admin username and password parameters to gain unauthorized access.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →