CVE-2021-41074
Unknown Unknown - Not Provided
CSRF Vulnerability in QloApps 1.5.1 Allows Admin Email Change

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: MITRE

Description
A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-14
NVD
CVE-2021-41074
EUVD
EUVD-2021-28225
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qloapps qloapps 1.5.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue in QloApps HotelCommerce version 1.5.1. It allows an attacker to change the administrator's email address without authorization by tricking an authenticated admin user into clicking a maliciously crafted HTML document. Once the admin interacts with this document, the attacker can modify the admin user's email address, potentially leading to further account compromise or unauthorized access. [1]

Impact Analysis

The vulnerability can impact you by allowing an attacker to change the administrator's email address without permission. This can lead to further account compromise or unauthorized access, as the attacker could potentially take control of the admin account or intercept sensitive communications. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized changes to the administrator's email address in QloApps HotelCommerce version 1.5.1. Since it is a CSRF vulnerability triggered by an authenticated admin interacting with a crafted HTML document, detection involves checking server logs for suspicious POST requests to index.php that change admin email addresses without proper authorization. Additionally, reviewing web server access logs for unusual referrers or sources of requests that modify admin settings can help. Specific commands would depend on your environment, but for example, using grep on server logs to find POST requests to index.php with parameters related to email changes could be useful, e.g., `grep 'POST /index.php' /var/log/apache2/access.log | grep 'email='`. Also, monitoring admin account email changes in the application database or logs can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include applying any available patches or updates from QloApps that address this CSRF vulnerability. If no patch is available, implement CSRF protection mechanisms such as adding CSRF tokens to forms that change admin email addresses. Additionally, restrict access to the admin panel to trusted IP addresses, enforce strong authentication, and educate administrators to avoid clicking on suspicious links or HTML documents. Monitoring and alerting on changes to admin email addresses can also help detect exploitation attempts early. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-41074. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart