CSRF in ICEHRM 31.0.0.0S in Delete User Endpoint

IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible.

Version: 31.0.0.OS

Tested on: Windows 10

CVE : CVE-2022–26588

2. Description:

The attacker can exploit the CSRF issue and delete any arbitrary users from the application.

3. Steps To Reproduce:

1.) Now login into the application and go to users.

2.) After this add an user with the name Devansh.

3.) Now try to delete the user and intercept the request in burp suite. We can see no CSRF Token in request.

5.) Now generate a csrf poc for post based requests with necessary parameters.

6.) Finally open that html poc and execute in the same browser session.

7.) Now if we refresh the page, the devansh is deleted to csrf vulnerability.

4. Exploit POC (Exploit.html)

Related posts:

Regarding the civil litigation update — who is entitled to receive the settlement funds and how will they be distributed? Settlement funds will be distributed to those in the settlement class who…

Precisamos quebrar paradigmas, mas também precisamos gicar alertas pra não cairmos em novas armadilhas. Existe hoje diversas linhas de lutas feministas, que está sendo construída e aprofundada, no…

Color has attracted the human eye even before it came to mass media print in the late nineteenth century, film such as the Wizard of Oz, directed mostly by Victor Fleming in about 1939, and etc…