vendor:
PilusCart
by:
Gionathan 'John' Reale
7.5
CVSS
HIGH
Cross-Site Request Forgery
352
CWE
Product Name: PilusCart
Affected Version From: 1.4.1
Affected Version To: 1.4.1
Patch Exists: NO
Related CWE: 2019-9769
CPE: a:pilus:piluscart:1.4.1
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: ParrotOS
2019
PilusCart 1.4.1 – Cross-Site Request Forgery (Add Admin)
PilusCart 1.4.1 is vulnerable to CSRF attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted that will add a new user as administrator.
Mitigation:
Implementing a CSRF token in the application can prevent this type of attack.
