vendor:
Dental Clinic Appointment Reservation System
by:
Reza Afsahi
8.8
CVSS
HIGH
Cross Site Request Forgery
352
CWE
Product Name: Dental Clinic Appointment Reservation System
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE: N/A
CPE: a:sourcecodester:dental_clinic_appointment_reservation_system
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: PHP 7.4.11, Linux x64_x86
2021
Dental Clinic Appointment Reservation System 1.0 – Cross Site Request Forgery (Add Admin)
An attacker can exploit a Cross Site Request Forgery vulnerability in the Dental Clinic Appointment Reservation System 1.0 to add an admin user. By crafting a malicious HTML page, an attacker can send a POST request to the vulnerable user.php page with a username and password of their choice. This will add an admin user to the system.
Mitigation:
To mitigate Cross Site Request Forgery vulnerabilities, the application should implement a CSRF token that is unique to each user session. This token should be checked on each request to ensure that the request is valid.
