vendor:
phpAutoVideo
by:
GoLdeN-z3r0
4,3
CVSS
MEDIUM
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: phpAutoVideo
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020
phpAutoVideo csrf
A Cross-Site Request Forgery (CSRF) vulnerability exists in phpAutoVideo, which allows an attacker to change the admin password by sending a malicious request. The malicious request contains a hidden form with the parameters 'admintype' set to 'changepass', 'passworda' and 'passwordb' set to 'z3r0'. When the victim visits the malicious page, the form is automatically submitted and the admin password is changed.
Mitigation:
The best way to mitigate CSRF attacks is to use a synchronizer token pattern. This requires the server to generate a unique token for each request and the client to send the token back to the server for verification. Additionally, the server should also check the origin and referrer headers of the request to ensure that the request is coming from a trusted source.
