CVE-2023-33409 PoC — miniCal 跨站请求伪造漏洞

Source

https://github.com/Thirukrishnan/CVE-2023-33409

Associated Vulnerability

Title:miniCal 跨站请求伪造漏洞 (CVE-2023-33409)
Description:miniCal是miniCal开源的一款开源的 PMS。 miniCal 1.0.0版本存在安全漏洞，该漏洞源于容易受到通过minical/public/application/controllers/settings/company.php进行的跨站请求伪造(CSRF)攻击。

Readme

# CVE-2023-33409

Minical 1.0.0 is vulnerable to Cross-Site Request Forgery.

Vendor:       <https://github.com/minical/minical>

Demo Application: <https://demo.minical.io/>

***

## PoC

The application does not have any CSRF protection, hence a specially crafted HTTP request can be used to, 

- Add New User 
- Delete Existing User
- Edit the existing User’s Email Address and other sensitive information.

The payloads for different attacks can be generated using the Generate CSRF POC tool in BurpSuite.

Example:

Add New User:

![image](https://github.com/Thirukrishnan/CVE-2023-33409./assets/63901950/91c6a17a-b826-4f8b-877a-1094cb25f6a6)

File Snapshot


 [4.0K]  /data/pocs/d57943bc120be76d7b602fa2dbdeba8c7918f7e8
└── [ 652]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!