{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2013-20005", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-15T18:02:51.816Z", "datePublished": "2026-03-15T18:34:09.977Z", "dateUpdated": "2026-03-16T14:20:18.785Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-15T18:34:09.977Z"}, "datePublic": "2013-03-07T00:00:00.000Z", "title": "Qool CMS 2.0 RC2 Cross-Site Request Forgery via adduser", "descriptions": [{"lang": "en", "value": "Qool CMS 2.0 RC2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious web pages. Attackers can forge POST requests to the /admin/adduser endpoint with parameters like username, password, email, and level to create root-level user accounts without user consent."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "Qool", "product": "Qool CMS", "versions": [{"version": "2.0", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/24627", "name": "ExploitDB-24627", "tags": ["exploit"]}, {"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5134.php", "name": "Vulnerability Advisory", "tags": ["vendor-advisory"]}, {"name": "VulnCheck Advisory: Qool CMS 2.0 RC2 Cross-Site Request Forgery via adduser", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/qool-cms-rc2-cross-site-request-forgery-via-adduser"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2013-20005", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:12:28.755406Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:20:18.785Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Qool CMS 2.0 RC2 Cross-Site Request Forgery via adduser", "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Qool", "product": "Qool CMS", "versions": [{"status": "affected", "version": "2.0"}]}], "datePublic": "2013-03-07T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/24627", "name": "ExploitDB-24627", "tags": ["exploit"]}, {"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5134.php", "name": "Vulnerability Advisory", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/qool-cms-rc2-cross-site-request-forgery-via-adduser", "name": "VulnCheck Advisory: Qool CMS 2.0 RC2 Cross-Site Request Forgery via adduser", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Qool CMS 2.0 RC2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious web pages. Attackers can forge POST requests to the /admin/adduser endpoint with parameters like username, password, email, and level to create root-level user accounts without user consent."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-15T18:34:09.977Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2013-20005", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:12:28.755406Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-16T14:17:26.266Z"}}]}, "cveMetadata": {"cveId": "CVE-2013-20005", "state": "PUBLISHED", "dateUpdated": "2026-03-15T18:34:09.977Z", "dateReserved": "2026-03-15T18:02:51.816Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-15T18:34:09.977Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Qool CMS 2.0 RC2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious web pages. Attackers can forge POST requests to the /admin/adduser endpoint with parameters like username, password, email, and level to create root-level user accounts without user consent."}, {"lang": "es", "value": "Qool CMS 2.0 RC2 contiene una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados que permite a los atacantes realizar acciones administrativas enga\u00f1ando a usuarios con sesi\u00f3n iniciada para que visiten p\u00e1ginas web maliciosas. Los atacantes pueden falsificar peticiones POST al endpoint /admin/adduser con par\u00e1metros como nombre de usuario, contrase\u00f1a, correo electr\u00f3nico y nivel para crear cuentas de usuario de nivel root sin el consentimiento del usuario."}], "id": "CVE-2013-20005", "lastModified": "2026-04-15T14:56:45.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-16T14:17:44.710", "references": [{"source": "disclosure@vulncheck.com", "url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5134.php"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/24627"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/qool-cms-rc2-cross-site-request-forgery-via-adduser"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.0,2.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Qool CMS", "source": "cna", "vendor": "Qool"}, "product": "qool_cms", "vendor": "qool"}], "analysis": {"en": {"generated_at": "2026-03-21T14:37:17.685002+00:00", "value": {"mitigation_remediation": ["Upgrade Qool CMS to a version where the CSRF bug is fixed", "If a patch is unavailable, restrict access to the /admin/adduser endpoint to trusted IP addresses only", "Implement CSRF tokens or a similar anti\u2011CSRF mechanism on all administrative actions", "Verify that only authenticated admin users can reach the endpoint"], "summary": {"action": "Patch ASAP", "impact": "Privilege Escalation via CSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Qool CMS 2.0 RC2, the only version specified by the CNA. No additional versions or patch information is provided, indicating that all installations running this release are potentially exposed.", "description_and_impact": "Qool CMS 2.0 RC2 contains a cross\u2011site request forgery flaw that enables attackers to forge POST requests to the /admin/adduser endpoint. By supplying parameters such as username, password, email, and level, an attacker can create a new user with root\u2011level privileges without the victim\u2019s knowledge, thereby compromising the administrative control of the web application. This weakness, classified as CWE\u201179, permits full administrative takeover once an authenticated user is tricked into visiting a malicious site.", "risk_and_exploitability": "The CVSS score of 6.9 reflects moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at present. This flaw is not listed in the CISA KEV catalog, implying it is not currently a widely used exploit. The likely attack vector is a remote web\u2011based CSRF attack that requires a victim to be logged in with administrative privileges when visiting an attacker\u2011controlled page."}}}}, "created": "2026-03-16T09:21:25.838982+00:00", "updated": "2026-03-23T14:01:35.076149+00:00", "vendors": ["qool", "qool$PRODUCT$qool_cms"]}