CVE-2012-1297

Contao CMS < 2.11.0 - Cross-Site Request Forgery via User, News, or Newsletter Deletion

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-1297. PoCs published by Ivano Binetti.

AI-analyzed exploit summary This exploit demonstrates CSRF vulnerabilities in ContaoCMS (formerly TYPOlight) <= 2.11, allowing an attacker to delete administrators, users, news, or newsletters via crafted HTML forms. The PoC includes multiple examples of auto-submitting forms targeting specific endpoints.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in main.php in Contao (formerly TYPOlight) 2.11.0 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) delete users via a delete action in the user module, (2) delete news via a delete action in the news module, or (3) delete newsletters via a delete action in the newsletters module.

Exploits (1)

exploitdb WORKING POC

by Ivano Binetti · textwebappsphp

https://www.exploit-db.com/exploits/18527

View Code ZIP pw:eip

This exploit demonstrates CSRF vulnerabilities in ContaoCMS (formerly TYPOlight) <= 2.11, allowing an attacker to delete administrators, users, news, or newsletters via crafted HTML forms. The PoC includes multiple examples of auto-submitting forms targeting specific endpoints.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: ContaoCMS (aka TYPOlight) <= 2.11.0

Auth required

Prerequisites: Victim must be authenticated as an admin/user in ContaoCMS · Victim must visit a malicious page hosting the CSRF exploit

MITRE ATT&CK

T1566.002 - Spearphishing Link

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources x_refsource_misc

http://ivanobinetti.blogspot.com/2012/02/contaocms-fka-typolight-211-csrf-delete.html

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/18527

Exploit x_refsource_misc

http://packetstormsecurity.org/files/110214/ContaoCMS-2.11.0-Cross-Site-Request-Forgery.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/73479

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48180

Scores

EPSS 0.0108

EPSS Percentile 60.6%

Details

CWE

CWE-352

Status published

Products (47)

contao/contao_cms 2.0 (3 CPE variants)

contao/contao_cms 2.1.0

contao/contao_cms 2.1.1

contao/contao_cms 2.1.2

contao/contao_cms 2.1.3

contao/contao_cms 2.1.4

contao/contao_cms 2.1.5

contao/contao_cms 2.1.6

contao/contao_cms 2.1.7

contao/contao_cms 2.1.8

... and 37 more

Published Mar 19, 2012

Tracked Since Feb 18, 2026