## Description A Cross-Site Request Forgery (CSRF) vulnerability exists in the administrator profile update functionality of **CarRentalMS v2.0**. The affected endpoint does not implement anti-CSRF protections, allowing an attacker to perform unauthorized profile modifications on behalf of an authenticated administrator via crafted HTML content. This issue has been assigned **CVE-2025-66683**. ## Affected Product - Project: CarRentalMS - Version: 2.0 - Vendor: Mart Mbithi ## Affected Component - Endpoint: `/CarRentalMS/ui/backoffice_settings` - Functionality: Admin profile update ## Vulnerability Type - Cross-Site Request Forgery (CSRF) - CWE-352 ## Attack Vector Remote. An attacker can lure an authenticated administrator into visiting a malicious webpage (e.g., via a malicious advertisement or compromised website), which silently submits a forged POST request to the vulnerable endpoint. ## Impact Successful exploitation allows unauthorized modification of administrator profile details, including email address changes. This can result in: - Full account takeover - Privilege escalation - Persistence establishment - Potential data exfiltration ## Conditions for Exploitation - Administrator is authenticated - No anti-CSRF tokens are implemented - No SameSite cookie protections are enforced - User interaction with attacker-controlled HTML content ## Proof of Concept A working proof of concept demonstrates exploitation by auto-submitting a crafted HTML form while an administrator session is active, resulting in profile data being modified without user consent. (PoC details provided to maintainers; not fully reproduced here.) ## Mitigation Recommendations - Implement anti-CSRF tokens (e.g., synchronizer token pattern) - Enforce `SameSite` cookie attributes - Validate request origin and referer headers - Apply additional server-side authorization checks for state-changing requests ## References - [https://cwe.mitre.org/data/definitions/352.html](https://cwe.mitre.org/data/definitions/352.html) - [https://owasp.org/www-community/attacks/csrf](https://owasp.org/www-community/attacks/csrf) - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) ## Discoverer Parthiv Kumar Nikku ([[email protected]](mailto:[email protected]))