CarRentalMS 2.0 Cross Site Request Forgery

2026.01.12

Credit: Parthiv

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

## Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the administrator profile update functionality of **CarRentalMS v2.0**. The affected endpoint does not implement anti-CSRF protections, allowing an attacker to perform unauthorized profile modifications on behalf of an authenticated administrator via crafted HTML content.

This issue has been assigned **CVE-2025-66683**.

## Affected Product

- Project: CarRentalMS
- Version: 2.0
- Vendor: Mart Mbithi
    
## Affected Component

- Endpoint: `/CarRentalMS/ui/backoffice_settings`
- Functionality: Admin profile update

## Vulnerability Type

- Cross-Site Request Forgery (CSRF)  
- CWE-352

## Attack Vector
  
Remote. An attacker can lure an authenticated administrator into visiting a malicious webpage (e.g., via a malicious advertisement or compromised website), which silently submits a forged POST request to the vulnerable endpoint.

## Impact  
Successful exploitation allows unauthorized modification of administrator profile details, including email address changes. This can result in:

- Full account takeover
- Privilege escalation
- Persistence establishment
- Potential data exfiltration

## Conditions for Exploitation

- Administrator is authenticated    
- No anti-CSRF tokens are implemented
- No SameSite cookie protections are enforced
- User interaction with attacker-controlled HTML content

## Proof of Concept  
A working proof of concept demonstrates exploitation by auto-submitting a crafted HTML form while an administrator session is active, resulting in profile data being modified without user consent.  
(PoC details provided to maintainers; not fully reproduced here.)

## Mitigation Recommendations

- Implement anti-CSRF tokens (e.g., synchronizer token pattern)
- Enforce `SameSite` cookie attributes
- Validate request origin and referer headers
- Apply additional server-side authorization checks for state-changing requests

## References
- [https://cwe.mitre.org/data/definitions/352.html](https://cwe.mitre.org/data/definitions/352.html)
- [https://owasp.org/www-community/attacks/csrf](https://owasp.org/www-community/attacks/csrf)
- [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)
- [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)

## Discoverer  
Parthiv Kumar Nikku ([parthivkumarnikku@gmail.com](mailto:parthivkumarnikku@gmail.com))

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CarRentalMS 2.0 Cross Site Request Forgery

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.