CVE-2023-37650: 
PHP vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Admin portal of Cockpit CMS v2.5.2, allowing attackers to execute arbitrary Administrator commands. The vulnerability was disclosed on July 20, 2023, and was patched in version 2.6.0 (Cockpit Release, GhostCcamm Blog).

The vulnerability stemmed from the absence of CSRF token validation in the admin API actions. The admin portal lacked CSRF protection, unlike the general API, making every admin API action vulnerable to CSRF attacks. This could be exploited through both the Assets API and Finder API. The vulnerability received a CVSS v3.1 Base Score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD).

The vulnerability could allow attackers to execute arbitrary administrator commands through CSRF attacks. This could be leveraged to achieve cross-site scripting (XSS) through SVG file uploads and even remote code execution (RCE) through the Finder API's unzip functionality (GhostCcamm Blog).

The vulnerability was patched in Cockpit CMS version 2.6.0 by adding CSRF token validation for admin API actions. The fix requires adding $this->hasValidCsrfToken(true) to each route for the internal API. Additionally, it is recommended to delete the Finder API module (modules/Finder folder) to prevent potential RCE exploits, and implement strict file upload restrictions (Cockpit Release, GhostCcamm Blog).