CVE-2020-13157

MEDIUM

NukeViet 4.4 - Cross-Site Request Forgery via User Edit URI

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-13157. PoCs published by JEBARAJ.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in NukeViet CMS 4.4.00, allowing an attacker to change admin passwords, create new users, delete log files, and inject HTML via crafted forms. The PoC includes multiple HTML forms targeting specific endpoints without requiring prior authentication.

Description

modules\users\admin\edit.php in NukeViet 4.4 allows CSRF to change a user's password via an admin/index.php?nv=users&op=edit&userid= URI. The old password is not needed.

Exploits (1)

exploitdb WORKING POC
by JEBARAJ · textwebappsphp
https://www.exploit-db.com/exploits/48489

This exploit demonstrates a CSRF vulnerability in NukeViet CMS 4.4.00, allowing an attacker to change admin passwords, create new users, delete log files, and inject HTML via crafted forms. The PoC includes multiple HTML forms targeting specific endpoints without requiring prior authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: NukeViet CMS 4.4.00
No auth needed
Prerequisites: Victim must be authenticated as an admin and tricked into visiting a malicious page
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory x_refsource_misc
https://nukeviet.vn/en/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/48489

Scores

CVSS v3 6.5
EPSS 0.0012
EPSS Percentile 30.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-352
Status published
Products (2)
nukeviet/nukeviet 4.4
nukeviet/nukeviet Packagist
Published Jun 23, 2020
Tracked Since Feb 18, 2026