{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cotonti-siena--0.9.26/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-58143"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cotonti Siena \u003c= 0.9.26"],"_cs_severities":["high"],"_cs_tags":["cross-site-request-forgery","vulnerability","webserver","rce","php"],"_cs_type":"advisory","_cs_vendors":["Cotonti"],"content_html":"\u003cp\u003eCVE-2026-58143 details a critical Cross-Site Request Forgery (CSRF) vulnerability affecting Cotonti Siena content management system versions 0.9.26 and earlier. This vulnerability allows an unauthenticated attacker to exploit a flaw in the \u003ccode\u003eadmin.php\u003c/code\u003e configuration update handler, which neglects to invoke the application's CSRF validation function. By crafting a malicious web page or link, the attacker can trick a logged-in administrator into submitting a forged POST request. The primary impact of this action is the ability to disable the PFS module's file extension whitelist (\u003ccode\u003epfsfilecheck\u003c/code\u003e parameter), setting it to \u003ccode\u003e0\u003c/code\u003e. This modification subsequently allows any user with PFS access to upload and execute arbitrary PHP files on the server, potentially leading to full remote code execution and compromise of the Cotonti Siena installation. The vulnerability was published on 2026-07-09, affecting a widely used open-source CMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCraft Malicious Request\u003c/strong\u003e: An unauthenticated attacker crafts a malicious web page containing a forged POST request targeting the \u003ccode\u003eadmin.php\u003c/code\u003e configuration update handler on the vulnerable Cotonti Siena instance. The request specifically includes the parameter \u003ccode\u003epfsfilecheck=0\u003c/code\u003e to disable the PFS module's file extension whitelist.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSocial Engineering\u003c/strong\u003e: The attacker employs social engineering techniques (e.g., phishing, watering hole attack) to trick a legitimate, logged-in administrator of the Cotonti Siena instance into visiting the malicious web page or clicking a malicious link.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eForged Request Execution\u003c/strong\u003e: The administrator's browser, being logged into Cotonti Siena, automatically executes the forged POST request to \u003ccode\u003eadmin.php\u003c/code\u003e in the background when the malicious page is loaded.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration Modification\u003c/strong\u003e: The vulnerable Cotonti Siena application processes the incoming POST request to \u003ccode\u003eadmin.php\u003c/code\u003e without performing adequate CSRF token validation, accepting the forged request as legitimate. The \u003ccode\u003epfsfilecheck\u003c/code\u003e setting is updated to \u003ccode\u003e0\u003c/code\u003e in the application's configuration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary File Upload Enabled\u003c/strong\u003e: With the \u003ccode\u003epfsfilecheck\u003c/code\u003e whitelist disabled, the Cotonti Siena PFS module no longer restricts file uploads based on extension. This allows the attacker, or any user with PFS upload privileges, to upload files with dangerous extensions, such as \u003ccode\u003e.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePHP File Upload\u003c/strong\u003e: The attacker uploads a malicious PHP web shell or other arbitrary PHP script to the server via the PFS module.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution\u003c/strong\u003e: The attacker accesses the uploaded PHP file via a web browser, causing the server to execute the arbitrary PHP code, achieving remote code execution (RCE) on the Cotonti Siena server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-58143 grants unauthenticated attackers a pathway to complete system compromise. By disabling file upload restrictions, attackers can upload and execute arbitrary PHP files, leading to remote code execution. This can result in full control over the compromised Cotonti Siena web server, allowing for data theft, defacement of the website, establishment of persistent backdoors, and further network penetration. While specific victim counts are not available, any organization utilizing Cotonti Siena versions 0.9.26 or earlier is at risk, particularly those that have not implemented additional web application firewall (WAF) protections or strong administrator awareness training against phishing.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-58143\u003c/strong\u003e: Immediately upgrade Cotonti Siena to a version greater than 0.9.26 that addresses CVE-2026-58143.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement CSRF Protection\u003c/strong\u003e: If immediate patching is not possible, implement custom CSRF protection mechanisms or use a Web Application Firewall (WAF) to block requests to \u003ccode\u003eadmin.php\u003c/code\u003e that lack proper anti-CSRF tokens.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Web Server Logs\u003c/strong\u003e: Deploy the Sigma rule \u003ccode\u003eCotonti_Siena_CSRF_PFS_Whitelist_Disable_CVE_2026_58143\u003c/code\u003e to your SIEM to detect HTTP POST requests targeting \u003ccode\u003e/admin.php\u003c/code\u003e that attempt to modify the \u003ccode\u003epfsfilecheck\u003c/code\u003e parameter, indicating potential exploitation of CVE-2026-58143.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEducate Administrators\u003c/strong\u003e: Provide security awareness training to administrators on identifying and avoiding social engineering attacks, such as phishing, that could trick them into executing forged requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T22:22:55Z","date_published":"2026-07-09T22:22:55Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cotonti-siena-csrf-rce/","summary":"A Cross-Site Request Forgery (CSRF) vulnerability in Cotonti Siena versions 0.9.26 and earlier allows unauthenticated attackers to modify administrator configuration by tricking a logged-in administrator into submitting a forged POST request, enabling the upload and execution of arbitrary PHP files leading to remote code execution.","title":"CVE-2026-58143 - Cotonti Siena 0.9.26 and earlier contains a cross-site request forgery vulnerability that allows una...","url":"https://feed.craftedsignal.io/briefs/2026-07-cotonti-siena-csrf-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Cotonti Siena \u003c= 0.9.26","version":"https://jsonfeed.org/version/1.1"}