Description: Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a voucher payment request through module/accounting/voucher/create. The application fails to validate the CSRF token for a POST request using admin privilege.
Recommendations :
1- Implement X-CSRF-TOKEN and make sure it's validating in back-end server as well
2- Implement an interceptor which appends token value to every (state-changing) request in custom request header X-XSRF-TOKEN-B Video POC : Google Drive
Product : Web-School ERP V 5.0
Description: Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a voucher payment request through module/accounting/voucher/create. The application fails to validate the CSRF token for a POST request using admin privilege.
Recommendations :
1- Implement
X-CSRF-TOKENand make sure it's validating in back-end server as well2- Implement an interceptor which appends token value to every (state-changing) request in custom request header
X-XSRF-TOKEN-BVideo POC : Google Drive
POC :
The text was updated successfully, but these errors were encountered: