Headline
CVE-2023-46478: GitHub - mr-xmen786/CVE-2023-46478
An issue in minCal v.1.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the customer_data parameter.
CVE-2023-46478
Minical 1.0.0 is vulnerable to IDOR .
Vendor: https://github.com/minical/minical
Demo Application: https://demo.minical.io/
PoC
Step 1: I have created two user accounts user A (hacker) then user B (walker-448)
Step 2: Go to the User B account then Navigate to the Accounting module and then click on any ID.
Step 3: Now, click on "Edit Profile". Enter the desired value in the Name field, then click “Update” and capture the request using Burp Suite.
Step 4: Now send the request to intruder.
Step 5. Now, set the payload position in the “customer_id” parameter then enter the HTML payload in the "customer_data[customer_name]" parameter, and then click on 'Start Attack.
Step 6: Now, refresh the browser for user A. As can be observed, we successfully updated user A’s details, as shown in the POC below.