CVE-2023-33409: GitHub - Thirukrishnan/CVE-2023-33409

CVE-2023-33409

Minical 1.0.0 is vulnerable to Cross-Site Request Forgery.

Vendor: https://github.com/minical/minical

Demo Application: https://demo.minical.io/

PoC

The application does not have any CSRF protection, hence a specially crafted HTTP request can be used to,

• Add New User
• Delete Existing User
• Edit the existing User’s Email Address and other sensitive information.

The payloads for different attacks can be generated using the Generate CSRF POC tool in BurpSuite.

Example:

Add New User: