Cross Site Request Forgery- Front Accounting ERP 2.4.3 - CVE-2018-7176
Cross Site Request Forgery- Front Accounting ERP 2.4.3 By- Samrat Das Hi Readers, Recently while performing some open source security assessment, I came across an ERP Application- Front Accounting . Curious to explore its functionalities, I set up a local copy and started playing around to find security vulnerabilities’. Title of the Vulnerability : Cross Site Request Forgery. Vulnerability Class : Remote Code Execution/ Account takeover Technical Details & Description : The application source code is coded in a way which allows malicious crafted HTML page to be executed directly without any anti csrf countermeasures. CVE ID allocated : CVE-2018-7176 Product & Service Introduction : Front Accounting 2.4.3 Steps to Re-Produce – 1. Visit the application 2. Visit the User Permissions Page. 3. Goto add user, and create a csrf crafted exploit for the same , upon hosting it on a server and sending the link to cl