Description: Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a student_leave_application request through module/core/studentleaveapplication/create. The application fails to validate the CSRF token for a POST request using Guardian privilege.
Recommendations :
1- Implement X-CSRF-TOKEN and make sure it's validating in back-end server as well
2- Implement an interceptor which appends token value to every (state-changing) request in custom request header X-XSRF-TOKEN-B
Product : Web-School ERP V 5.0
Description: Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a student_leave_application request through module/core/studentleaveapplication/create. The application fails to validate the CSRF token for a POST request using Guardian privilege.
Recommendations :
1- Implement
X-CSRF-TOKENand make sure it's validating in back-end server as well2- Implement an interceptor which appends token value to every (state-changing) request in custom request header
X-XSRF-TOKEN-BVideo POC : Google Drive
POC :
The text was updated successfully, but these errors were encountered: