Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Tina4 Stack 1.0.3: Unauthenticated Admin Account Changes
CVE-2018-25186
Summary
Attackers can change admin user passwords and email addresses without permission. This can be done by tricking a logged-in user into visiting a malicious website. To fix this issue, update to a newer version of Tina4 Stack or apply a patch.
Original title
Tina4 Stack 1.0.3 contains a cross-site request forgery vulnerability that allows attackers to modify admin user credentials by submitting forged POST requests to the profile endpoint. Attackers ca...
Original description
Tina4 Stack 1.0.3 contains a cross-site request forgery vulnerability that allows attackers to modify admin user credentials by submitting forged POST requests to the profile endpoint. Attackers can craft HTML forms targeting the /kim/profile endpoint with hidden fields containing malicious user data like passwords and email addresses to update administrator accounts without authentication.
nvd CVSS3.1
5.3
nvd CVSS4.0
6.9
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026