CVE-2021-38721: 
Fuel CMS vulnerability analysis and mitigation

FUEL CMS 1.5.0 contains a cross-site request forgery (CSRF) vulnerability in login.php. The vulnerability was discovered and disclosed on August 10, 2021, and was assigned identifier CVE-2021-38721. The vulnerability affects FUEL CMS version 1.5.0 and potentially earlier versions (NIST NVD, MITRE CVE).

The vulnerability exists in the password reset functionality accessible via the path /fuel/index.php/fuel/login/pwd_reset. The CVSS v3.1 base score is 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The vulnerability stems from the lack of proper CSRF protection mechanisms in the login functionality, which could allow attackers to perform unauthorized actions on behalf of authenticated users (NIST NVD).

The vulnerability allows attackers to perform unauthorized actions through cross-site request forgery attacks, particularly affecting the password reset functionality. This could potentially lead to account compromise if an authenticated user is tricked into visiting a malicious page while logged into the application (NIST NVD).

The vulnerability has been patched in a subsequent release. The fix includes implementing proper CSRF protection mechanisms and adding validation checks for CSRF tokens. The patch can be found in commit 6164cd794674d4d74da39f8b535ff588ab006e33 (GitHub Patch).