CVE-2018-21037: 
PHP vulnerability analysis and mitigation

Subrion CMS 4.1.5 and possibly earlier versions were found to be vulnerable to Cross-Site Request Forgery (CSRF) that allows attackers to change administrator passwords via the panel/members/edit/1 URI. The vulnerability was discovered and reported on February 13, 2018 (GitHub Issue).

The vulnerability exists due to the lack of CSRF token validation in the password change functionality. The application does not validate the source origin of incoming requests to the password change endpoint. This allows attackers to craft malicious requests that can change an administrator's password when executed (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability allows attackers to change administrator passwords without authorization, potentially leading to complete administrative account compromise. This could result in unauthorized access to the CMS admin panel and full control over the website (NVD).

The recommended mitigation is to implement proper CSRF token validation and verify the source origin of requests to the password change functionality (GitHub Issue).