T
TraceWithin

CVE-2018-25168

Medium
|5.3
Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows attackers to create new administrative user accounts on the Precurio Intranet Portal without needing to log in or have any special permissions. They can do this by sending specially crafted requests to a specific part of the system, taking advantage of a lack of security checks.

Technical Description

Precurio Intranet Portal 2.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by submitting crafted POST requests. Attackers can forge requests to the /public/admin/user/submitnew endpoint with user creation parameters to add new admin accounts without requiring CSRF tokens or user interaction.

CVSS Vector Analysis

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionRequired
Confidentiality ImpactHigh
Integrity ImpactHigh
Availability ImpactHigh
ScopeChanged

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub SearchExploit-DBNuclei TemplatesMetasploitVulners

Official References

NIST NVD
Est. Bounty
$724($500-$1K)
Vendor Response
Grade APatched in 3 days

Quick Information

Published

Mar 6, 2026

about 1 month ago

Last Modified

Mar 9, 2026

29 days ago